MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faa8e59387b8ca7ea8748026c8c0097821b2e61aad9a7b18dbd88e00cb091083. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faa8e59387b8ca7ea8748026c8c0097821b2e61aad9a7b18dbd88e00cb091083
SHA3-384 hash: 99a125b4b4e39b16da7e11b0be110d9a3e8b62fff5d229fa82f9c1299f7d4012b6f4887a040e9b7f5e20e2cd613685c0
SHA1 hash: ce5f9fc5a657e19defe9f42f6bbb95f19567118a
MD5 hash: fc005c5ed4aa87e2281b5582b84424e7
humanhash: pip-alaska-eight-tennis
File name:hwidspoofer.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'569'664 bytes
First seen:2022-01-09 06:38:46 UTC
Last seen:2022-01-09 08:34:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 49152:A7DRk+do44GnFNpgmwdK6iwdtCIaFnZZieshTlHGn6aRW62X9OjSkHhbbn0LzgeF:AfRUEQdK6bKpsh5HpGFjSkH2gSTZ46
Threatray 885 similar samples on MalwareBazaar
TLSH T142F533B6F3E73DCBC20A127DDCB8E35976A326399691E0C263DC09258E211F774605B9
Reporter tech_skeech
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.186.142.127:10853 https://threatfox.abuse.ch/ioc/292016/

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hwidspoofer.exe
Verdict:
Malicious activity
Analysis date:
2022-01-09 06:40:42 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/dc1fb5b2-b342-4045-939a-9dc44d738b6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217868/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61da83091c0d769df9dac891/reports/1c246ea1-8f7d-449b-864c-eabb3d78e5d9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aead3a14-337a-4e35-b1d4-96fba7e30975
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917246
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faa8e59387b8ca7ea8748026c8c0097821b2e61aad9a7b18dbd88e00cb091083/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 06:39:23 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kuole4hxdfh5kduqatmrqajpaq3fzq2vwnhwgg33chabsyjccbq._file
Verdict:
malicious
Similar samples:
0c026f6f5c3577b153ad00b629075001de41ad9d26de2723aacbf3a87c8bc0ef
RedLineStealer
17be6c33020601127b2ac2e87be0dadb64c7af911d38ba70bf4d86d595ca4759
RedLineStealer
22b1bd5ff8d474bb70ad086e75dbba870aaeb52599d436b84ba35e9e612078b4
RedLineStealer
237e2e782486d84990697453d8d9498662ac491fbdeb56de82ff8fe09f6d4ed2
RedLineStealer
44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d
RedLineStealer
5e5fb939c0bb8474487a8c1809e137183f1178f9a2a700a5f2211fc619a2d1c9
RedLineStealer
8143c63631df50b95ccfc47822f808fbff228f1da4eb5e521c6352fbc678d118
RedLineStealer
82f60aeafe345ffc8fa14f80db1217bbadb6e8d74fe63f6e72cb350af4d5b61c
RedLineStealer
c4571029ff055eb10c3a096b823a3cbb42b51ac5e1f96c88f442d4d376195086
RedLineStealer
ca05bdeff05876d189e870c1b7af2bf4bd098214506905655ced4f73efe8560b
RedLineStealer
+ 875 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220109-hemp6sddb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
bb29b3edad3e52dc6c268d564016d2dde0fc6f7ba2815566174a79894a425eff
MD5 hash:
ac3235dd4c700e2569dbb9a4f677cc5f
SHA1 hash:
3fe248487c34d3fccc9e876eab79a7da482f9a3d
Link:
https://www.unpac.me/results/a9757e45-7ad7-4b27-9669-ec86698402ee/
SH256 hash:
faa8e59387b8ca7ea8748026c8c0097821b2e61aad9a7b18dbd88e00cb091083
MD5 hash:
fc005c5ed4aa87e2281b5582b84424e7
SHA1 hash:
ce5f9fc5a657e19defe9f42f6bbb95f19567118a
Link:
https://www.unpac.me/results/a9757e45-7ad7-4b27-9669-ec86698402ee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/faa8e59387b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/faa8e59387b8ca7ea8748026c8c0097821b2e61aad9a7b18dbd88e00cb091083

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe faa8e59387b8ca7ea8748026c8c0097821b2e61aad9a7b18dbd88e00cb091083

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217868/

Comments