MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f69f9b3165ea2272211cd546d8391be45a29d391e0ecb1a179d88c828eab28b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	f69f9b3165ea2272211cd546d8391be45a29d391e0ecb1a179d88c828eab28b8
SHA3-384 hash:	df9e0bc6cc34e377590f9ab83b7647ca65479f395bf90c72c546cd39835abee43c80174f6a2440eaa72d8eb9ba8bc649
SHA1 hash:	5281a4369853a5d274533029034d72d8ae6653ab
MD5 hash:	a8f352aea188fd52b188abce1df00857
humanhash:	burger-pizza-crazy-bravo
File name:	Installer Far Cry 6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	18'944 bytes
First seen:	2021-10-20 23:54:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	384:42SBdsCAeXPsvjN9zlL/N3yRqDt3RLIjK:9SFAeXPSZV4kt3RuK
Threatray	2'087 similar samples on MalwareBazaar
TLSH	T1C1824C22F78993A7C65D1336C7D322808371F3A31162D61E2EDAD68E5C27B141DAD7D8
Reporter	JaffaCakes118
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Installer Far Cry 6.exe

Verdict:

Malicious activity

Analysis date:

2021-10-20 23:54:27 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/7d08afed-0ddb-44d2-8aa2-ba551f3de4c0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/198935/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.EHH.genEldorado.7853.3623.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Adding an access-denied ACE

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6170ac599a5a1e91c5c99691/reports/74817ddb-4323-4066-92ec-b999f9929bb6/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f6ba13b9-b13e-4860-9778-67aa1051e42f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/874258

Signature

Contains functionality to hide a thread from the debugger

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f69f9b3165ea2272211cd546d8391be45a29d391e0ecb1a179d88c828eab28b8/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-10-20 23:55:06 UTC

AV detection:

16 of 45 (35.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=62pzwmlf5irheii42vdnqoi34rnctu4r4dwldilz3cgifdvlfc4a._file

Verdict:

malicious

RedLineStealer

2f1e386982e2eec222d82dc5a03c52a9ad81b097058c896937feb47c1ee0525a

RedLineStealer

4db98fd82c7587c5a3c69ecb7574596aa411cded0cbf8f623dd15c3299e0a30f

RedLineStealer

5d5a4e577c7e58c88e50a4c6553943a861ed52728255a3f549ab02d673853a70

RedLineStealer

63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f

RedLineStealer

82c0fe6ee7c50aab66003d62b80181a69984dd2f46afdc0f0b264b4f9c087ad5

RedLineStealer

a4ea8ccb32a746e3315e35d366246545d6475dc48e8e43cf92da45bf5de0fe7f

RedLineStealer

bba9c79625e584f537b28492801b0d073408b2876a8500285205c99a2c0e8261

RedLineStealer

d7480662bc7ee6dc38227ea381978553b1774774e4a0a70ea3bf6aebbca48622

RedLineStealer

fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336

RedLineStealer

+ 2'077 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:double22222 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211020-3yfq7aaegr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

65.108.0.82:39795

Unpacked files

SH256 hash:

f69f9b3165ea2272211cd546d8391be45a29d391e0ecb1a179d88c828eab28b8

MD5 hash:

a8f352aea188fd52b188abce1df00857

SHA1 hash:

5281a4369853a5d274533029034d72d8ae6653ab

Link:

https://www.unpac.me/results/088bc289-631a-4ec5-8c19-a5a7e5b43652/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f69f9b3165ea/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/f69f9b3165ea2272211cd546d8391be45a29d391e0ecb1a179d88c828eab28b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe f69f9b3165ea2272211cd546d8391be45a29d391e0ecb1a179d88c828eab28b8

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/198935/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample