MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f62cebe556bf3cdac1deae1af87712ad928f25e95b6630973511903fcf889c37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	f62cebe556bf3cdac1deae1af87712ad928f25e95b6630973511903fcf889c37
SHA3-384 hash:	ec79c2792b82d51eec5fb778f7f4c4562db9884ad7c6bedfd75df108a507f26619b2ceccba32f5173846f69cf213962b
SHA1 hash:	654d0436fc8e0042c9dcd9597a1bf4ba60d629b4
MD5 hash:	8ff709cb8fed0155fc1c77c7af4d1d08
humanhash:	tennessee-nine-football-island
File name:	main.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	901'120 bytes
First seen:	2022-06-18 22:40:46 UTC
Last seen:	2022-06-18 23:45:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	08a024e881cfeb4e54ac3c8a2ca94678 (2 x RedLineStealer)
ssdeep	12288:lS7+S/4i+Sr54tlkSo5FDUFco4PwgOC0yxJQi7XLZF/Uhunnc6vD6ZeqQ:lS75/4Ir54tlkMGxJQinZF/Ui7s9
Threatray	4'232 similar samples on MalwareBazaar
TLSH	T17A159F613DC1C171DDF220B581ECB924427DE5B00B275EE79BC897EEC6206D63B3A986
TrID	58.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.4% (.EXE) Win32 Executable (generic) (4505/5/1) 3.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

378

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

main.exe

Verdict:

No threats detected

Analysis date:

2022-06-18 22:35:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f467b8a0-119e-48ce-8b16-26d62e9a19a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/281214/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.32832.18411.262.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/21895/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger zusy

Link:

https://www.filescan.io/uploads/62ae54bcb0582adf05b16042/reports/277f3e3f-ab08-4e5a-b3b7-ad883a3c17af/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7afbfba6-a86b-4b75-b7f3-26cd630febdd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1015778

Signature

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f62cebe556bf3cdac1deae1af87712ad928f25e95b6630973511903fcf889c37/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-06-18 22:41:11 UTC

File Type:

PE (Exe)

AV detection:

8 of 40 (20.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ywoxzkwx46nvqo6vynpq5ysvwji6jpjlntdbfzvcgid7t4itq3q._file

Verdict:

malicious

RedLineStealer

4d26421ffb50624467c0a1772e1f5a1312c8b2f5462c29620e1010a957086274

RedLineStealer

986b1e107fdcf5ba3eec492626b08ea3d4e2091931d10b196a11c790a6f43d0c

RedLineStealer

a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e

RedLineStealer

ab13f05aec11044e1c4553a42b85ebc1bcc0aed156edf0e940a8a18e03470cef

RedLineStealer

f5f6a2006fa6833364a61f6c6258c00a9f5fb326fe52bec3e7e4342e26017fdd

RedLineStealer

+ 4'222 additional samples on MalwareBazaar

Result

Malware family:

egregor

Score:

10/10

Tags:

family:egregor

Link:

https://tria.ge/reports/220618-2l3vhsbgbk/

Unpacked files

SH256 hash:

f62cebe556bf3cdac1deae1af87712ad928f25e95b6630973511903fcf889c37

MD5 hash:

8ff709cb8fed0155fc1c77c7af4d1d08

SHA1 hash:

654d0436fc8e0042c9dcd9597a1bf4ba60d629b4

Link:

https://www.unpac.me/results/258c289a-bd1c-4b02-b232-cd0226af30a7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f62cebe556bf3cdac1deae1af87712ad928f25e95b6630973511903fcf889c37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/281214/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample