MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2
SHA3-384 hash: 158964125a474028312973cf389495cc5bfa48fb373c0e92a9e262faadc5a35c4c66e772eb4be19ce94bf3ec0c00a15f
SHA1 hash: 884254ea51e126da4e3a2bcad9e2c288e8ece8d7
MD5 hash: a1d235f9df5e4f7797abe0ccee91b6ac
humanhash: leopard-stream-orange-golf
File name:IObit Driver Booster Pro 9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'186'304 bytes
First seen:2022-08-22 09:42:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:zpy3s93HOkRbN8HMYKYmZ/JZtSdMX9dKiopn8zCfS31H:zhHxX8bR5fSlH
Threatray 374 similar samples on MalwareBazaar
TLSH T133456C29E74B15B4DA635771859EEA779B047A348022AE3FFF4BDA0CB8330173C85256
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tech_skeech
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
IObit Driver Booster Pro 9.exe
Verdict:
Malicious activity
Analysis date:
2022-08-22 09:44:00 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/f0a50f39-6273-44ed-add1-a24bfb862163

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300188/
Detection(s):
Win.Malware.Generic-9964431-0
Create hunting rule

Win.Spyware.Fragtor-9964509-0
Create hunting rule

Win.Spyware.Fragtor-9964514-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29647/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/630350208032e1622110d10f/reports/81b00096-8a35-4ce7-8cf5-f14ce1319e02/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/296897d5-c4b8-4afe-9c38-963aaf6a6a74
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055429
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 09:43:10 UTC
File Type:
PE (Exe)
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kr6sjwuxgmbwszbvhc2ftlb3vltxdxone4ksum5xx6kxmzaopba._file
Verdict:
malicious
Similar samples:
1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901
RedLineStealer
30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5
RedLineStealer
56013a94edeaf931e04fc0103058f3d183f1fd9f46e4e133d6f4bb63a0826486
RedLineStealer
6ace84c8a5b97075e435df18a59c7dcaa90091c8b3140deedf5139329d1890df
RedLineStealer
768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b
RedLineStealer
8029372ee0d847274003b41f70af056c577b82ad655ccaeb3163775e4bf1dcab
RedLineStealer
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
RedLineStealer
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
RedLineStealer
adadc8e69ed95353daf38d970dcecffdde40cafc24fefd37db059ff19fcf2c79
RedLineStealer
f524babf2428be1c97d53f2c6508e9e851ff869d47f6957d9a71178308790200
RedLineStealer
+ 364 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220822-lpxjxaeaem/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
RedLine
RedLine payload
Malware Config
C2 Extraction:
62.204.41.141:24758
Unpacked files
SH256 hash:
444d9397b42b550345ca90a3d0150c8e974595b6e25cb9cd1784632bd1a0bd6b
MD5 hash:
456b21e65801ff4a3a5e58f3f2c0fc69
SHA1 hash:
95ae365ceb121b9380f7aa9a2265e643b2988f9a
Link:
https://www.unpac.me/results/d8858384-7143-4d68-9666-ed8a3bad4c06/
SH256 hash:
faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2
MD5 hash:
a1d235f9df5e4f7797abe0ccee91b6ac
SHA1 hash:
884254ea51e126da4e3a2bcad9e2c288e8ece8d7
Link:
https://www.unpac.me/results/d8858384-7143-4d68-9666-ed8a3bad4c06/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/faa3e926d4b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300188/

Comments