MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fce878416b9dc2879bb7a631342a0d6504264fbd3184b49fc9545e9d3ba581b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	fce878416b9dc2879bb7a631342a0d6504264fbd3184b49fc9545e9d3ba581b4
SHA3-384 hash:	34f5942ac0bec6b5fd595a8696b4a93a040d11883a6bea723dbea36d548ed812a8d7e8ab2961347f17921a9b4e9fa19e
SHA1 hash:	2e2369a0d2f25c4d130b5533a2b5f4bbf087d981
MD5 hash:	ac91de844466c65d0e9a0c6ecb18a5f5
humanhash:	north-sodium-foxtrot-william
File name:	ac91de844466c65d0e9a0c6ecb18a5f5
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'643'184 bytes
First seen:	2022-01-31 08:35:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep	98304:VHUFnsRfSR27U07F6cP3JfOZPSKNkR9ORZlDKR3:V0qfSsx6q30yTO/ls3
Threatray	184 similar samples on MalwareBazaar
TLSH	T11FF53370EB60A589D62B6CBC5DEC6CA7BC6051DC60F072C5372C91EE7BF16C02A9D251
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ac91de844466c65d0e9a0c6ecb18a5f5

Verdict:

Malicious activity

Analysis date:

2022-01-31 09:06:20 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e3ea560c-ad7d-4891-9b95-2a4d87aa57f3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/228358/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

DNS request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed raccoon

Link:

https://www.filescan.io/uploads/61f79f75d7fd65ae55fb81c1/reports/b5b28b32-fad8-4356-a730-30a64899bf0c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3017d9b0-a535-4213-96fb-54b41393ca0a

Result

Threat name:

Phoenix Miner RedLine

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930698

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fce878416b9dc2879bb7a631342a0d6504264fbd3184b49fc9545e9d3ba581b4/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-01-29 19:29:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 43 (67.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7tuhqqlltxbipg5xuyytikqnmuccmt55ggcljh6jkrpj2o5fqg2a._file

Verdict:

malicious

RedLineStealer

2e8e2f3b627ec21bc24a14b5ae253a4c18f7f1e6a4e77ddde108620296b03000

RedLineStealer

364caf6fd9b89ebe54e6e6f295f3c9e458dee4d382f16967b9cef4883cc3864f

RedLineStealer

714f149c0b876dd7fd4f260952d70d5d21963a786ffe5a76e20ee1bcea821d6e

RedLineStealer

935e889d242191efcd783fc0a72a3a1f8881314c39df20a5418ef66f306d080b

RedLineStealer

98ad02342614a473b078f5b12274fa3c9c78779894750fbb7af82664b9e7ffa8

RedLineStealer

e1c74447881f8150767a7567a159efa3c1b06cf976618241c0f81f9bab684f36

RedLineStealer

+ 174 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220131-kg7jgahea6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Unpacked files

SH256 hash:

2ebecf5c99a14153e480739b90e04657589ed0e739ea16c948bdf83c7989c20c

MD5 hash:

886b7e19984fe061f0cf67d18be632dd

SHA1 hash:

6aca7667b83ca356df28a3186e0153ef1da40ac2

Link:

https://www.unpac.me/results/9309d4df-7d2c-432f-adef-d6fcaee79f36/

SH256 hash:

fce878416b9dc2879bb7a631342a0d6504264fbd3184b49fc9545e9d3ba581b4

MD5 hash:

ac91de844466c65d0e9a0c6ecb18a5f5

SHA1 hash:

2e2369a0d2f25c4d130b5533a2b5f4bbf087d981

Link:

https://www.unpac.me/results/9309d4df-7d2c-432f-adef-d6fcaee79f36/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/fce878416b9d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/fce878416b9dc2879bb7a631342a0d6504264fbd3184b49fc9545e9d3ba581b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/