MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336
SHA3-384 hash: 68b8f6718ccd18b45331447920d54960d7d03870bc8283e1f1635e23ae1110fd30b228800b900370f65b2c09d1dd4489
SHA1 hash: 2ec3aaeab6a6e271489332a68e7c701c3be1b905
MD5 hash: cfb3293e169044ba5e8f7212e1e6f1b9
humanhash: july-tennessee-echo-robin
File name:MinecraftHackV1.8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:498'448 bytes
First seen:2021-10-11 21:09:45 UTC
Last seen:2021-10-11 21:12:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 63ac7c2799723925dd310860701c20d0 (4 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 12288:k++ZKjWZY7FkbhtqHowRTxpopR9G2Jn0Ho5D7cZajsUL:80j9iaHszbSobb
Threatray 28 similar samples on MalwareBazaar
TLSH T154B4231A9391F819F357A5BE605DD6E426F04C7CCCD9C8E6DF6D309A8B708A260C76B0
File icon (PE):PE icon
dhash icon f0e894aaaca4c8f0 (4 x RedLineStealer, 2 x RaccoonStealer)
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MinecraftHackV1.8.exe
Verdict:
Malicious activity
Analysis date:
2021-10-11 21:10:46 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a231bc53-5e37-4c97-8a9d-7f5fe98969c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196738/
Detection(s):
Win.Malware.Generic-9901230-0
Create hunting rule

Win.Malware.Generickdz-9901242-0
Create hunting rule

Win.Dropper.Nanobot-9901244-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6164a82dfd35fe780c38edcf/reports/b9d198bb-e61b-4fd4-aeef-8bfe5939e067/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8375c7fe-869f-4a9d-8872-1a572b3fecbb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867920
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 21:10:08 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
22c23de0a046b3652861d880ad53bbfca85448d0a6814d34151b1f359839dd37
RedLineStealer
25149614d2732a9db3e86ee490064f943cef5747b19d937d2f3cc2d7e13d29b7
RedLineStealer
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
RedLineStealer
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
RedLineStealer
63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab
RedLineStealer
96d02aa6d831dbeece3c407da36a56d57527f5848ef1b99a84fccabba1934959
RedLineStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RedLineStealer
cebf4c9af84506f3b683d5d4867b739244b6ba595772d583b3455781c4d91b74
RedLineStealer
d40c08e8f927017c98c6856c46c1d0c13184261ec34c4cfc3cad1cf91834897a
RedLineStealer
ea5236788c97196a492eb29449a57951e3df07b3d432f85fd23e511cfd02a58d
RedLineStealer
+ 18 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@veteran322 infostealer spyware
Link:
https://tria.ge/reports/211011-zz2s9sacc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.82.126.114:81
Unpacked files
SH256 hash:
a7dc397704c5d0a0e9519e272fc176a1926768b46afc1c17728acf798a8a2b50
MD5 hash:
5d26aab71b63bac2e46eeb65dd7d368c
SHA1 hash:
cffb0a5a10471753ae60aea6cbfa49d1328c4d5e
Link:
https://www.unpac.me/results/8ace3957-e78a-4618-8ae6-f2cab32aa33b/
SH256 hash:
e1dc5c2d1990626d2ba2aea8c9a1696ccb0545880615578aefa0d9c68df6d70c
MD5 hash:
3610ab4db4a4fc43f7fdf291d9e6ed1e
SHA1 hash:
c36e11d2ea898d0865dc857c812d392e39b04b7d
Link:
https://www.unpac.me/results/8ace3957-e78a-4618-8ae6-f2cab32aa33b/
SH256 hash:
fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336
MD5 hash:
cfb3293e169044ba5e8f7212e1e6f1b9
SHA1 hash:
2ec3aaeab6a6e271489332a68e7c701c3be1b905
Link:
https://www.unpac.me/results/8ace3957-e78a-4618-8ae6-f2cab32aa33b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fad39635cac5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/196738/

Comments