MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfd9a2b815e4d65adedd1ec1fb28b8bb04ae5d4553f601a9ba96508cc6d1fc34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 8 File information Comments

SHA256 hash:	dfd9a2b815e4d65adedd1ec1fb28b8bb04ae5d4553f601a9ba96508cc6d1fc34
SHA3-384 hash:	96868ec935eff374d0011bde94ea0afb37efde8251ae557f0e72d8a0eb13cf895d1c2dee1278c02da2f4c829aed7a242
SHA1 hash:	f5f1f100ccfdda7e2154301b6d4c73be00ac505f
MD5 hash:	99ed9e2e41cd2f3b986a29d2563cb6a0
humanhash:	idaho-aspen-salami-dakota
File name:	99ed9e2e41cd2f3b986a29d2563cb6a0.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'343'817 bytes
First seen:	2023-07-06 06:11:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c40e9a4f29716be1d546d01b7139454b (164 x RedLineStealer, 82 x Amadey)
ssdeep	24576:tZSFKRmxaSBggiyQSpXQJnuJvH4IEPxxZmAS4:tUF8IggiypGWvFAZmAS4
Threatray	481 similar samples on MalwareBazaar
TLSH	T13F55BD05E09D1D5CC572E7B2BACC23523EAC8874291D613952E21DEF95F9D0E72CBA8C
TrID	44.5% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.5% (.EXE) Clipper DOS Executable (2018/12) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
77.91.68.70:19073

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

99ed9e2e41cd2f3b986a29d2563cb6a0.exe

Verdict:

Malicious activity

Analysis date:

2023-07-06 07:18:44 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/97dde617-c437-4f13-8562-11de51904a5b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/408841/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.27099.24401.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/64a65b338583eaadb34f0679/reports/001342d2-4dde-4f37-8d9d-0bd9254258b3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/dfd9a2b815e4d65adedd1ec1fb28b8bb04ae5d4553f601a9ba96508cc6d1fc34

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/841cbf5a-dad4-476f-987d-87a1d353e637

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1268731

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dfd9a2b815e4d65adedd1ec1fb28b8bb04ae5d4553f601a9ba96508cc6d1fc34/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-07-06 00:40:08 UTC

File Type:

PE (Exe)

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=37m2foav4tlfvxw5d3a7wkfyxmck4xkfkp3adkn2sziizrwr7q2a._file

Verdict:

malicious

RedLineStealer

2e5bc55c905c19135013b700f978bb973c899b1c3978c4e68db2c94534fd5aa6

RedLineStealer

2f45efff9ed2e51020855ac029f7d946da660f15e4a03ed5937c46a58a516b2d

RedLineStealer

751cee955bdb193113b5c0919fb17e7a4c55df6afa2ff3e98e94b121b224e74d

RedLineStealer

77a411ad108db41c1b174a2942f25524063ac6a9dcbe04598ec4a0f58a4f4fe2

RedLineStealer

8475eafe4ab9b001192a1479e36ba03b2e6f59e172ec95689fa7fdfdc7b3a1c1

RedLineStealer

864c5f665e0ef6cf7c84a5936706f60b640217f40ff31ce5ebb1f771ef7445ac

RedLineStealer

8ec2409047023ae11bdcb0a8939e42257d88a6ba08925492a6449ce4308bca04

RedLineStealer

e1773c71e23909ad31d7d685e9db591e89f675a87be77f18e764bbb44d78ff18

RedLineStealer

f1c998f801fe51855229dcce7b80d604c549f900a056b86c02a4eb9a8dcc7d4b

RedLineStealer

+ 471 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:furod discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230706-gx8jxshb48/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

77.91.68.70:19073

Gathering data

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dfd9a2b815e4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dfd9a2b815e4d65adedd1ec1fb28b8bb04ae5d4553f601a9ba96508cc6d1fc34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing base64 encoded User Agent

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe dfd9a2b815e4d65adedd1ec1fb28b8bb04ae5d4553f601a9ba96508cc6d1fc34

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2654756/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/408841/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample