MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3
SHA3-384 hash: c13e3b9a5177d9b23e17cdaccb0af91ab66ad12a840707380caa1036bba947820c205afcf29c70ed926683c77fdead43
SHA1 hash: 57d0fd392ebb4e40e17f2a3fecd4521d04281f32
MD5 hash: b7649de5628e2c6b2be40b6d2fe115c5
humanhash: emma-romeo-monkey-summer
File name:f9be3f2ebd3654b7ecc41d482840872e1daaede423dff.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:292'352 bytes
First seen:2023-02-13 17:00:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4fd97bcd302d74255f80d3b6ed694f15 (13 x Smoke Loader, 6 x RedLineStealer, 2 x TeamBot)
ssdeep 6144:oGCAaaeg4kNjQJCw+wY2GMMIRFx+rbCzUDuYgkUQQBoZTEx:ozBa98Cw02GMNR8CzUyYgzQQBoZT
Threatray 17'009 similar samples on MalwareBazaar
TLSH T1875401127750C1B3E9B289352822DB816B7BF876876191CB37C1297E1F713D1893A74B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 81e56565e5c583b8 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
103.169.34.87:27368

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
f9be3f2ebd3654b7ecc41d482840872e1daaede423dff.exe
Verdict:
Malicious activity
Analysis date:
2023-02-13 17:01:40 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/19809c10-abb7-4e23-ad25-6e2269782c92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/365193/
Detection(s):
Sanesecurity.Malware.28830.BadO.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63ea6cd231c239ad0c455e9e/reports/473dc059-0794-4d09-9938-73d0c978aa2b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e787774-4025-4799-8e9c-4c8ab5682440
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1173596
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-02-13 17:01:09 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7g7d6lv5gzklp3gedvecqqehfyo2v3peepp7eipzewwmjrzkntrq._file
Verdict:
malicious
Similar samples:
0143e6dc021cd5746ff4c791010a9168608970e7890fa4ae0479d6a72d75737b
RedLineStealer
42879f043b3c0142be9fd2fed75472c792f1548992ad94e7322acf27fb3e8de5
RedLineStealer
43834e6b6154b76cf979f1363c549d2e2d2eda1d43292c7bab5efabdd9f6220e
RedLineStealer
4674e32e64508cf23ecaccb6182b4607c08a81a11143593d7d9f7e1885fbe96c
RedLineStealer
6b262ba38f3f84729181e45cf5bc8a854ad79a79c6f60237adf8a7ebe8e03b67
RedLineStealer
87ea7cd5107ade708abb4f7f47815fccab81bc11af9837f43a39e05b8c846fab
RedLineStealer
ad436abe329dd8a5fb85d8ba2ff8893daa1857d78918d296b66f5e644bffb3e1
RedLineStealer
dcdbb1b2c91f8df190e07303fdb6639a9618e965d0b32d56d511b222c6c5d1af
RedLineStealer
e21d57cbb204f532554bb0ec8f6d580596362b4c6edb30124cc94b62366e0811
RedLineStealer
f45b161330c2674524d50c230275ae033c2532f98a6defd790c59de76a6aae33
RedLineStealer
+ 16'999 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230213-vjjwasea6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
103.169.34.87:27368
Unpacked files
SH256 hash:
ff953db7ae99a8dc7d4aec5eced07215efe621eae72aca74741caa743d979bf7
MD5 hash:
a04b54f9b6151bc581e08f66410a04f8
SHA1 hash:
cfc14efd6a3023856c186ff27e3bef13f8a0520f
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/cd83352c-5cc9-4e90-908d-0b673dec0878/
SH256 hash:
b99abebf69eb2be0ae78bb11c1b60d485808f518ba7ebba7cd2edad56b4e7287
MD5 hash:
a20a1c595c66217dcc6c9a7184f6bf12
SHA1 hash:
cd873d4062d78d03551aeda8a613327650d471f4
Link:
https://www.unpac.me/results/cd83352c-5cc9-4e90-908d-0b673dec0878/
SH256 hash:
662f5bfddc91da23f1fa484df5b0d21f8585fdde9577975890d0e0fe2fd2201c
MD5 hash:
4bd1249af2f2218ae1462aee30bdd98d
SHA1 hash:
add4a22c78876bf4023dfb2b3fbb4e20585d3d6a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/cd83352c-5cc9-4e90-908d-0b673dec0878/
SH256 hash:
f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3
MD5 hash:
b7649de5628e2c6b2be40b6d2fe115c5
SHA1 hash:
57d0fd392ebb4e40e17f2a3fecd4521d04281f32
Link:
https://www.unpac.me/results/cd83352c-5cc9-4e90-908d-0b673dec0878/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9be3f2ebd36/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f9be3f2ebd3654b7ecc41d482840872e1daaede423dff221f925acc4c72a6ce3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/365193/
  
URLhaus
https://urlhaus.abuse.ch/url/2539697/
  
Delivery method
Distributed via web download

Comments