MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f171ab5612449529b71fca26c2430ae31307b34c84c5f629a2bbeae9df63b92b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	f171ab5612449529b71fca26c2430ae31307b34c84c5f629a2bbeae9df63b92b
SHA3-384 hash:	bd5ff3ef32393bcd83ffe9e078e55a24fe8ef152c778d73fecb93dce235b028ccea01100a000bf2532ebed88e1d45da4
SHA1 hash:	c4f866857e771a95fe30b34208e08da7dccd8dea
MD5 hash:	6b354fb8f32d3198e6e51cd3b6542918
humanhash:	nebraska-connecticut-lake-don
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'233'256 bytes
First seen:	2022-08-31 18:34:30 UTC
Last seen:	2022-09-01 08:20:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep	98304:WGI1zKwcfIDmU079KdcT6rmzr1umfFJDGhAFORmVMYlOLEu:WvdKIDmU0hKdcLrl7DSAFO4VK4u
TLSH	T1483612B7626601A2D0E6CC3687277D9532B61B674F42BCB669C57DC429321E0F332B93
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	6872f2d494148c8f (2 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Logitech Z-906
Issuer:	Logitech Z-906
Algorithm:	sha1WithRSAEncryption
Valid from:	2021-12-02T17:49:44Z
Valid to:	2031-12-03T17:49:44Z
Serial number:	454f68c4614e039041e5af851cb9dc28
Intelligence:	6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	d66eaf03204931fd078dcbd330cdbe4098d68284ecd7bc5009d3a21b37641b3f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc743379129_647452499?hash=LfmZ6VKGR6k57bM77OJGkxrczsnpBbubEXiCsUrZcAk&dl=G42DGMZXHEYTEOI:1661970623:0BqvD2VzdpfNR2DmVxez32KOfTk86kt5zS03717iV1D&api=1&no_preview=1#aysina

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
109.107.181.110:34067	https://threatfox.abuse.ch/ioc/847031/

Intelligence

File Origin

# of uploads :

# of downloads :

374

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

installer.exe

Verdict:

Malicious activity

Analysis date:

2022-09-01 01:13:16 UTC

Tags:

evasion redline trojan opendir socelars stealer loader rat

Link:

https://app.any.run/tasks/427cf095-9aeb-4d61-975a-92e4504a737f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/306980/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm overlay packed

Link:

https://www.filescan.io/uploads/630faa2c2fdf5a082595abab/reports/e0ea810a-2896-435f-ad57-094cabb2c7d0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5d8c4f76-7a10-4b43-9956-ee2cd67a6f53

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1061870

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f171ab5612449529b71fca26c2430ae31307b34c84c5f629a2bbeae9df63b92b/

Threat name:

Win32.Trojan.Redlinestealer

Status:

Malicious

First seen:

2022-08-31 18:35:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6fy2wvqsiskstny7zitmeqyk4mjqpm2mqtc7mkncxpvotx3dxevq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220831-w8cnysbhh6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

c081085f14e23ffda9449c54c3ef268074396081feba0a53c047fe1825cb188c

MD5 hash:

454b6780cab2d542ae7424b0f6ba7430

SHA1 hash:

c29e8aaddc092e85ed80319af8d6a299feb5addb

Detections:

redline

Link:

https://www.unpac.me/results/8c7ffa67-c42b-452c-9f1c-f0ba08c56824/

Parent samples :

f171ab5612449529b71fca26c2430ae31307b34c84c5f629a2bbeae9df63b92b
ccd060144933d510a122012c1ebb0dc47d92b515a36e31e86f2534e3391564ed

SH256 hash:

0a440bd3abbe93755177fbf7da6a95f00da2ee2cc1e2fd3c1a35cc7767cdbd34

MD5 hash:

0c99eb529fca7405071716dba243855a

SHA1 hash:

0e11737a9519109b72dd745c0ced337147d2d3b3

Detections:

redline

Link:

https://www.unpac.me/results/8c7ffa67-c42b-452c-9f1c-f0ba08c56824/

Parent samples :

f171ab5612449529b71fca26c2430ae31307b34c84c5f629a2bbeae9df63b92b
ccd060144933d510a122012c1ebb0dc47d92b515a36e31e86f2534e3391564ed

SH256 hash:

f171ab5612449529b71fca26c2430ae31307b34c84c5f629a2bbeae9df63b92b

MD5 hash:

6b354fb8f32d3198e6e51cd3b6542918

SHA1 hash:

c4f866857e771a95fe30b34208e08da7dccd8dea

Link:

https://www.unpac.me/results/8c7ffa67-c42b-452c-9f1c-f0ba08c56824/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f171ab561244/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f171ab5612449529b71fca26c2430ae31307b34c84c5f629a2bbeae9df63b92b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/306980/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample