MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3f6a9292fb02c58a1c2a803845f04181658a539706ba03dfdb57404a40f1053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments 1

SHA256 hash:	f3f6a9292fb02c58a1c2a803845f04181658a539706ba03dfdb57404a40f1053
SHA3-384 hash:	aaee6c4a94c794f488d32a4edf06f87257fc4e7f4125d990fa0e46928280111ca639fac57be42d5863af4f9ed745a83b
SHA1 hash:	973dce61b373493c9c84043ed666cebee17da72a
MD5 hash:	a4350782fd9144392fe7ab2526a3969e
humanhash:	jupiter-avocado-glucose-spaghetti
File name:	a4350782fd9144392fe7ab2526a3969e
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'612'928 bytes
First seen:	2021-12-03 11:47:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4069f6c0a839f67849a714a829801aaa (1 x RedLineStealer)
ssdeep	24576:M2WuJrCAfYGN7gsWkLK8K8ZVcP66+U4x7zoEN7v:M23JOAfYGRik/Pd6+U4xN7v
Threatray	32 similar samples on MalwareBazaar
TLSH	T18575C22BB35C524DF900183DA082FA01EB2452D5ADFDF1E4DB7BAD47374AED4718A1A2
File icon (PE):
dhash icon	038b920bd6c6cc74 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a4350782fd9144392fe7ab2526a3969e

Verdict:

Malicious activity

Analysis date:

2021-12-03 11:50:13 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/f477e0a8-7ffd-4b58-9d1b-3a0ddde9dc1c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/211023/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.23034.26941.25499.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/656/overview

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61aa03f64d8e6f3a5e0d146d/reports/d9ec798d-93a0-4cec-801b-92bd987e45b1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/444d0743-b564-4faa-ad24-161c44967e9b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/900831

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3f6a9292fb02c58a1c2a803845f04181658a539706ba03dfdb57404a40f1053/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-12-02 17:22:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 45 (48.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6p3kskjpwawfriocvabyixyedalfrjjzobv2app5wv2ajjapcbjq._file

Verdict:

malicious

Label(s):

ryuk

RedLineStealer

0b976213f5961eb9720219d2624463ec6acc8947004710c7e9885746e2e27234

RedLineStealer

1410147075fb5c4cd1d7d67569d7b3a62554d21c87514714a550a079ebe93301

RedLineStealer

25149614d2732a9db3e86ee490064f943cef5747b19d937d2f3cc2d7e13d29b7

RedLineStealer

27e3dba2c9a650f67d7d14b0fcc6c49cbf71b995e555651736b10030804c31e1

RedLineStealer

36d1c7bd0d09f604463f4e5ed69d13242104989fcd38196acc9b20404ceb61b5

RedLineStealer

72963b69c0f6b2194c28b95a56d8aef0fe2461f7387f97199f0b349628e86496

RedLineStealer

862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55

RedLineStealer

+ 22 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211203-nyfnvsbdc4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

8818a7cb6ec8f86ffcbcda45767a220d913fe7d9d7f8aa9084f570243612ab53

MD5 hash:

c7e19d3ba53bb18f73c36e004c9b09e7

SHA1 hash:

c3325586dc398cd140b07ff1d65dfdf399e2a942

Link:

https://www.unpac.me/results/1fd9c4e3-8645-44f8-837b-986ba87c5f10/

SH256 hash:

f3f6a9292fb02c58a1c2a803845f04181658a539706ba03dfdb57404a40f1053

MD5 hash:

a4350782fd9144392fe7ab2526a3969e

SHA1 hash:

973dce61b373493c9c84043ed666cebee17da72a

Link:

https://www.unpac.me/results/1fd9c4e3-8645-44f8-837b-986ba87c5f10/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f3f6a9292fb0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3f6a9292fb02c58a1c2a803845f04181658a539706ba03dfdb57404a40f1053

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time