MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e29dd9daaec793a33b208c9fad88f9bd4c2f2629e088ee21d28204001b86f67d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	e29dd9daaec793a33b208c9fad88f9bd4c2f2629e088ee21d28204001b86f67d
SHA3-384 hash:	6438bb71372b8dc7d956202f2c915722925d5c62b0e3247e7cc2cbe3ed83ea79323ab3014bb16ccf70af332965843022
SHA1 hash:	c1aefcf8a326a0f6e3aa7e97ef4b51c8a320b722
MD5 hash:	e463c70b1eb5e110b0cd711ea594a883
humanhash:	charlie-jersey-snake-fanta
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	630'552 bytes
First seen:	2023-01-16 22:42:43 UTC
Last seen:	2023-01-17 15:08:35 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:G5H1uk5XGi68TuzHVHiVg8P3+dNxRRXZBFNK01+nMYkBx:G5kk5XGi68Te1HiRORrkg+nM9H
Threatray	957 similar samples on MalwareBazaar
TLSH	T1A8D47C2509B43E42C2765F32900ECEB80BA01D792EA14D55ABD8FFF732F27752295726
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	aebe385c4ce0e8f8 (1 x RedLineStealer, 1 x VenomRAT)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Acer Nitro 2 AN517-57 [AN517-75-77M3]
Issuer:	Acer Nitro 2 AN517-57 [AN517-75-77M3]
Algorithm:	sha1WithRSAEncryption
Valid from:	2023-01-15T15:16:04Z
Valid to:	2033-01-16T15:16:04Z
Serial number:	1cea34b0cbbf1aa7476eeef2cfc69a20
Thumbprint Algorithm:	SHA256
Thumbprint:	843ac584e5986ea518b1cf1991cb68789c9672f1c7b4c865e0f3c0f84c03bafc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc712319849_659937836?hash=q6apcrkurxhumedVZoMKz1PutaVZELgrFIVHuj4Alno&dl=G4YTEMZRHE4DIOI:1673900678:cO2aUKvU6PNY6SI5ckkKIhVe1l9n3Az4fRL5ETO43co&api=1&no_preview=1#sss143

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-16 22:45:14 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/d3b28f11-e6aa-4649-a984-0f09b3c3ca39

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/353565/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.9884.12180.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

80%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/63c5d2f8afdaca54d438961d/reports/2530400a-db4f-417b-8aae-79ec50016b0f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f94ef293-ac3a-44b7-a565-c8dfcd483d36

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1152663

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RedLine Stealer

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e29dd9daaec793a33b208c9fad88f9bd4c2f2629e088ee21d28204001b86f67d/

Threat name:

ByteCode-MSIL.Trojan.Privateloader

Status:

Malicious

First seen:

2023-01-16 22:43:07 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ko5twvoy6j2gozarsp23chzxvgc6jrj4ceo4iosqicaag4g6z6q._file

Verdict:

malicious

RedLineStealer

446abdfdd249bca6964b7dc14013be5d833360b0eba026a6303c3132fc797bc0

RedLineStealer

67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea

RedLineStealer

7bf2c0637653a1da45dc1c1277e1cc8573b6060688e071be9b347480e858a5c6

RedLineStealer

bcba671f1e3e1f7ab80f59d5c1cb280bfec3ca519b37820af0bb720fb5d7a8b9

RedLineStealer

de232478760fe7e38a80ac8b6fd94b66d3d8983c88e922272f88fd0ceb5669fd

RedLineStealer

eb5ec9cf758bd526db090f9290d323201911b4181c3bfeb3ebd1f1af8be19285

RedLineStealer

f2529dae29184e925055095be10ac75fb92247ddb367f0b589fc5d7a88285369

RedLineStealer

+ 947 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:qq infostealer spyware

Link:

https://tria.ge/reports/230116-2m8gdsaf5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

79.137.192.41:45006

Unpacked files

SH256 hash:

e29dd9daaec793a33b208c9fad88f9bd4c2f2629e088ee21d28204001b86f67d

MD5 hash:

e463c70b1eb5e110b0cd711ea594a883

SHA1 hash:

c1aefcf8a326a0f6e3aa7e97ef4b51c8a320b722

Link:

https://www.unpac.me/results/36d99a4a-0bac-449a-8cb8-3baa998cc133/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e29dd9daaec7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e29dd9daaec793a33b208c9fad88f9bd4c2f2629e088ee21d28204001b86f67d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/353565/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample