MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 3 File information Comments

SHA256 hash:	f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278
SHA3-384 hash:	e4b6378ce9cd50b1fd311fd306fc729cba76de1398c5162b5fb0238cf86edc5a44be9bef92bbb18c53c295439a19ddac
SHA1 hash:	9523aca0dacb3e25e234157b69deca035564786f
MD5 hash:	5251c3cd61396eeb732de01832040c6f
humanhash:	comet-robert-tennessee-saturn
File name:	f9b5057081ca6e37c63a992234668b244551053a63582.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'624'263 bytes
First seen:	2022-07-30 13:05:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep	24576:g1n4XoNJ3YPYfzHzGmpMfsdLRn4ESnbxrneGcWmLhKILNqMfl3RuQ55313u:g1hNjn6XcWmLhKIJl3c
Threatray	189 similar samples on MalwareBazaar
TLSH	T125C50A135A8B0E75DDD23BB461CB633AA734FD30CA3A9B7BB608C43959532C56C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.160:8673

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.160:8673	https://threatfox.abuse.ch/ioc/840342/

Intelligence

File Origin

# of uploads :

# of downloads :

349

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295218/

Detection(s):

Win.Trojan.Fragtor-9955199-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/27805/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug overlay spyeye

Link:

https://www.filescan.io/uploads/62e52cfd6336465f2af7dd52/reports/924450d2-4952-431a-9e82-3d2394f00ad6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c2fb235f-2b83-4a94-9c30-53f47a82c412

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1043504

Signature

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-07-30 13:06:11 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7g2qk4ebzjxdprr2terdizulercvcbj2mnmc5zn42jhj4brcej4a._file

Verdict:

malicious

RedLineStealer

26b026ec1b7075e871d3935fa044dcd51304d261c9f57d9d0c40ae716a0c2c63

RedLineStealer

339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297

RedLineStealer

56013a94edeaf931e04fc0103058f3d183f1fd9f46e4e133d6f4bb63a0826486

RedLineStealer

5731c53142e09e1e0db15f92cbacbfdb9ddeed38b613cd75aff12d7b921f4197

RedLineStealer

585be0c57969f505e1ce900d1c0a7c10fc9f69a0e2e36894060f027f5ba54203

RedLineStealer

768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b

RedLineStealer

8dff78ac919fb32a7153abdd3ef9ae3aed5f0e1a65a6362f61d9e3dc90365232

RedLineStealer

bebadfa962b18b44ec66b4dc3b5081c95be4579e78e62bd0985b3579a8bd9b3d

RedLineStealer

f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b

RedLineStealer

+ 179 additional samples on MalwareBazaar

Gathering data

Unpacked files

SH256 hash:

0f6ecd915783a50abe7d4a88c4f1da820171d3a46c5bd90d7fd4ac850c48f433

MD5 hash:

38ea296d2b9b7aeece1b52b141ed9c8d

SHA1 hash:

9472e1ceb0b0db7af513febdc8074a30325ea262

Link:

https://www.unpac.me/results/6c173347-3193-4eb3-b29e-2e9c5ee7c395/

SH256 hash:

f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278

MD5 hash:

5251c3cd61396eeb732de01832040c6f

SHA1 hash:

9523aca0dacb3e25e234157b69deca035564786f

Link:

https://www.unpac.me/results/6c173347-3193-4eb3-b29e-2e9c5ee7c395/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f9b5057081ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295218/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample