MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0b3267fa660090a9f3008f4fe70f4191d51ec5d087692a0e218a137f10dbaae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0b3267fa660090a9f3008f4fe70f4191d51ec5d087692a0e218a137f10dbaae
SHA3-384 hash: 5384cbbc7abcb5175745c17b2c28627fe6ab4dcc691862275271cf018e6f780797129023486a6c740cc19db3672e06f5
SHA1 hash: 1850d9f79a82d413614b804cbbb5edf14a8a7b52
MD5 hash: ab73eec3adfe3e166e36a277cd333207
humanhash: three-december-pluto-mars
File name:ab73eec3adfe3e166e36a277cd333207
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:949'488 bytes
First seen:2021-11-25 14:33:22 UTC
Last seen:2021-11-25 17:49:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e89b6af7129fc4015f9c1420d59d0b77 (1 x RedLineStealer)
ssdeep 24576:XTEgGYwl/7arsZxwitPZAxF76LGtpJHlMbW:XTEgGYwt7A8sFWLGtpzt
Threatray 568 similar samples on MalwareBazaar
TLSH T11E1512D21BDD1C33DD45A9FB0E6BA22B64D2AF1860CEA3D583D7A5EC180B1891D8DD13
File icon (PE):PE icon
dhash icon b271ce8e8e4db0b2 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:Cooler Master MasterGel Pro v3 (MGY-ZOSG-N15M-Z6)
Issuer:Cooler Master MasterGel Pro v3 (MGY-ZOSG-N15M-Z6)
Algorithm:sha1WithRSAEncryption
Valid from:2021-11-24T10:03:30Z
Valid to:2031-11-25T10:03:30Z
Serial number: 1a1f61547fa1c0b94eaabb2473ae10ab
Thumbprint Algorithm:SHA256
Thumbprint: ed829c6aba3cbe255ff34a74756002258108330114cd4e2871e05d90e3e8c8b6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab73eec3adfe3e166e36a277cd333207
Verdict:
Malicious activity
Analysis date:
2021-11-25 14:52:53 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/7d4b10a3-1199-444d-9b0a-e49f1d7479d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Lazy.38799.16193.30170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/619f9edeb71ceed415301df5/reports/30374f74-14db-4467-84c4-77c380ea0371/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0900351-e9c5-45ab-91ad-a367262d7046
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896172
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0b3267fa660090a9f3008f4fe70f4191d51ec5d087692a0e218a137f10dbaae/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 14:14:17 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6czsm75gmaeqvhzqbd2p44hudeovd3c5bb3jfihcdcqtp4inxkxa._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0e0d466f63d4be35005e91ba9df0dc5e42ef15cf3db68cbfe461f354834709e4
RedLineStealer
6a498d84dd0cba5d8e272cbc5cb10382e7fd0da648a345e92c26414ceb5d3dc8
RedLineStealer
899212cef8387993ef7e01d930fd9b946a5531c63ab885f4641b7a3061d05f73
RedLineStealer
8b59d8f1ea4fb412eb2064b4243c6f2dcc4efd26b78e3eae92c9daf6f6a70b7b
RedLineStealer
8e0bf87628ea9c37fd9a0ca40fbbac0bf8d219f2f514efad2f63e0ba90cf7dd4
RedLineStealer
b61afe14307f31673f7ca5970d1bc8226dc21ef34a3f71a549025bf5babb3e86
RedLineStealer
cfa609ebc5780ab5ea678154e60e6e483076f82c74ec1129a3653b1c35173736
RedLineStealer
f62a8d9f1eea507f85a7f6c9146712fe9cb0bc9313fd45d47eeb14818618d0d3
RedLineStealer
fbb99570b341367a86c2c23b56862bfb3d3ea91c06e7c15750f7d36bf82f494b
RedLineStealer
+ 558 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211125-rxfh9afdhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
d1253687b06f3c22f176f51aae1e55d4c16fb95489f1b62fd1f19d9770706bde
MD5 hash:
99771f07746fb23b8d4fd1f87a808840
SHA1 hash:
5adb486bf4d3bd2e2fd6a052ae87488a9d5cb2d0
Link:
https://www.unpac.me/results/928453fa-937a-413d-a086-8b7866636006/
SH256 hash:
f0b3267fa660090a9f3008f4fe70f4191d51ec5d087692a0e218a137f10dbaae
MD5 hash:
ab73eec3adfe3e166e36a277cd333207
SHA1 hash:
1850d9f79a82d413614b804cbbb5edf14a8a7b52
Link:
https://www.unpac.me/results/928453fa-937a-413d-a086-8b7866636006/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f0b3267fa660/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0b3267fa660090a9f3008f4fe70f4191d51ec5d087692a0e218a137f10dbaae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f0b3267fa660090a9f3008f4fe70f4191d51ec5d087692a0e218a137f10dbaae

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1816671/
Cape
Cape
https://www.capesandbox.com/analysis/209385/

Comments