MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 7 File information Comments 1

SHA256 hash:	f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7
SHA3-384 hash:	5a6f0b0cc8b6b4add9ab66d0764ae548cefce9f1e830e3aef65ab1da032bcc0418ba383da1db111bfab465277974ec57
SHA1 hash:	b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526
MD5 hash:	4d96f213bfbba34ffba4986724d3a99c
humanhash:	winner-tango-oven-october
File name:	4d96f213bfbba34ffba4986724d3a99c
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'614'560 bytes
First seen:	2021-12-02 23:02:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5434c42555f1a40fd580a80637fb1d3c (1 x RedLineStealer)
ssdeep	24576:h2WuJrCAfYGN7gsWkLjUB3UAITIH5TUQisuKNeDHo:h23JOAfYGRikLj8WT01ULsuKNeDo
Threatray	36 similar samples on MalwareBazaar
TLSH	T18275A127BB0C524DF9A03839E283A601FA0416D5ADFDE1E4DBFAAF672353CD471461A1
File icon (PE):
dhash icon	64d288ccd4a2bc39 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.38.55.29:65221	https://threatfox.abuse.ch/ioc/258827/

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4d96f213bfbba34ffba4986724d3a99c

Verdict:

Malicious activity

Analysis date:

2021-12-02 23:05:37 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/1638c153-2e7f-40bb-b7e1-51c73c611565

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/210880/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.2172.7495.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/605/overview

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61a9506f4d8e6f3a5e0bc579/reports/0a4bc5db-9abc-4816-abbe-2e021ddc2748/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3cb942dc-0e0c-44d6-b640-8625e1073693

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/900569

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7/

Threat name:

Win32.Spyware.Generic

Status:

Suspicious

First seen:

2021-12-02 18:29:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ea4fhvujdwefcggefn2nlym5acabg3j4zifvm27ca37eocr6w3q._file

Verdict:

malicious

Label(s):

ryuk

RedLineStealer

27e3dba2c9a650f67d7d14b0fcc6c49cbf71b995e555651736b10030804c31e1

RedLineStealer

3b3281feef6d8e0eda2ab7232bd93f7c747bee143c2dfce15d23a1869bf0eddf

RedLineStealer

9f25264d954d82b3ef3dd1ab336bd7dad2ca7132b90c20128de327e1fb02f9cf

RedLineStealer

b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761

RedLineStealer

e7b24950fcd9f57630cd1d779ce59f58c8b39d598332b66a64894de0aaf88daa

RedLineStealer

f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e

RedLineStealer

fc7d4ac0a19ec0f8aa9c6bca854520705b9e56d51460ae5e8edb3b4c5573fbae

RedLineStealer

+ 26 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211202-2z5ahaffb3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

699653ff7b111c1f7f43ad743ddffc031a822492f7d372b5071e5c17342e94aa

MD5 hash:

38b9ccbd77dc9ad0607c652e237352ca

SHA1 hash:

73b8a02d377fc72be5cc8606526407a7dd10c408

Link:

https://www.unpac.me/results/48f25295-6949-4d65-addc-b2665ae5b02e/

SH256 hash:

f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

MD5 hash:

4d96f213bfbba34ffba4986724d3a99c

SHA1 hash:

b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

Link:

https://www.unpac.me/results/48f25295-6949-4d65-addc-b2665ae5b02e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f901c29eb448/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time