MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9941f4a8666aec566e088884417d7324956564b964c47444c665073bc28f35b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	f9941f4a8666aec566e088884417d7324956564b964c47444c665073bc28f35b
SHA3-384 hash:	5b530fd414bd27407e051620bbac02c20c587c219ce03097d7ba19b44903240c6d876e9f982260bbd77b3c4bde0e60de
SHA1 hash:	0e96362fbafe0580323270da9a5a6eaea60afe27
MD5 hash:	ada77e2462c2bb834f7486d22a74b939
humanhash:	princess-december-tennessee-double
File name:	ada77e2462c2bb834f7486d22a74b939.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	436'224 bytes
First seen:	2021-04-01 18:42:39 UTC
Last seen:	2021-04-01 19:51:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c8c8625d090db8cf98f1eda7b8f5bc12 (1 x RedLineStealer)
ssdeep	6144:Pw1hFGwAUIyFSsOg1tT0ycZsXvJfJwRpi+0bspH2RvcXTkSAdn:Pwr4UIyJP/cZsXBqWPA52+kb1
Threatray	400 similar samples on MalwareBazaar
TLSH	B894CF1133D0C032D19355798825CBB15FBEB9B61A656ACFBBC41ABD5F203D29A3630B
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ada77e2462c2bb834f7486d22a74b939.exe

Verdict:

Suspicious activity

Analysis date:

2021-04-01 18:48:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a1e78e77-cba4-4166-abe1-810176ccffcd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/131525/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.30166.30724.3963.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5973f232-74f3-4a39-8fea-8e9e772bc746

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/662729

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f9941f4a8666aec566e088884417d7324956564b964c47444c665073bc28f35b/

Threat name:

Win32.Trojan.Caynamer

Status:

Malicious

First seen:

2021-04-01 18:43:04 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7gkb6sugm2xmkzxarceeif6xgjevmvslszgeorcmmzihhpbi6nnq._file

Verdict:

malicious

RedLineStealer

1e93fd2be4ac69ce3d235aae5cb9099fa404376bfa76ade998efd42dd190f735

RedLineStealer

24c6a342ebad96c85df3bf4318a0df5a42e27647657157ee5f9ab0b4ba051e10

RedLineStealer

37b026efa4d522e78254378341d61b888b1a454723c7bd50d11ead50d624d8da

RedLineStealer

54329e92940f21e4cf24c14a70f3e4874d91d7d15b74097c9fbd56b89f87738e

RedLineStealer

66a38cc4c3d771280b087ca859dfb95644588421f633e83abab7cd4e4169003f

RedLineStealer

a037c92bc75769e88e0d233c66624d579fda2f356b963caca083d89d8e331d40

RedLineStealer

becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272

RedLineStealer

cca7603860e679057bcb934a4bd7cf7b62ba96355cf7c367e2e50cbc6664253f

RedLineStealer

f7e90700d24a89ad3d5daed763f0efad40e3f0ba3b1cffdf2532e068b7f2727b

RedLineStealer

+ 390 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210401-ge6h4c6d5n/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9

MD5 hash:

78a535422e2f6ee38d23303739633df4

SHA1 hash:

a79eb74129aaa63ca4175bad850510667e876255

Link:

https://www.unpac.me/results/5761b0cf-7f31-43c7-8b80-7f3ce40b4354/

SH256 hash:

bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630

MD5 hash:

71705e85f8748ca46e31537e62e19037

SHA1 hash:

4f2b3ee4cf0809016c4a9f6958ec752067d838cd

Link:

https://www.unpac.me/results/5761b0cf-7f31-43c7-8b80-7f3ce40b4354/

SH256 hash:

aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848

MD5 hash:

c61ed3bf3203c28408a6b58a338b0b07

SHA1 hash:

1eafb1e9511440ba36ba0f05d3fe0f076805fd75

Link:

https://www.unpac.me/results/5761b0cf-7f31-43c7-8b80-7f3ce40b4354/

SH256 hash:

f9941f4a8666aec566e088884417d7324956564b964c47444c665073bc28f35b

MD5 hash:

ada77e2462c2bb834f7486d22a74b939

SHA1 hash:

0e96362fbafe0580323270da9a5a6eaea60afe27

Link:

https://www.unpac.me/results/5761b0cf-7f31-43c7-8b80-7f3ce40b4354/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f9941f4a8666aec566e088884417d7324956564b964c47444c665073bc28f35b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.