MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734
SHA3-384 hash: bd1f3d82ae8af89bdbcfd2668a2d85f0450d8d20345de700c200341d65be61acffd68c92fa0013c53aa90f1cf75c3390
SHA1 hash: bbeb65a0bd4bbf7a87e0303aee2d9a3dd7c69ef7
MD5 hash: 06469b7e7904c634cdab3d3fe18a9ad3
humanhash: muppet-wyoming-batman-oklahoma
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:741'888 bytes
First seen:2022-10-25 16:40:29 UTC
Last seen:2022-10-26 15:30:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 95775a362cae2a5280b7aa94d498f0c6 (2 x RedLineStealer)
ssdeep 12288:qQBRuwkLNx0mf0ZjwQsn7uFURmtEif3w74COR0oq7yGOVVuyUq0SWo0MLoimPMFP:qQBRtkLNx0I0Z9EivwECORR8Bo0MLQEp
Threatray 743 similar samples on MalwareBazaar
TLSH T14AF48D0137C1823BDAB334324E69A67447AEA4B10B2747DF93C816FBDF645E16F2152A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc733883836_657537552?hash=vDItn6J5uy0KAECyUlME5K0dmMEqp76a2mRfXY5AFIk&dl=G4ZTGOBYGM4DGNQ:1666715032:PlvcaF4LSLnxWNdUSt1N4zgJO0Lt2dUD9VDQ99ceuzo&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
592
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-25 16:49:58 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/07d020c9-59ab-4718-a311-d258716f9a05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324086/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.12915.16988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Using the Windows Management Instrumentation requests
Creating a file in the system32 subdirectories
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45448/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3721b92-2a30-4527-9baf-421f63355018
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097768
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 17:18:05 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xoi6wtnpxk2jovscki5a7hvfduubpytrvj4odvnv6lrkiucw42a._file
Verdict:
malicious
Similar samples:
0963fff5b1b19e7da2d72f54f54a5369ac466f0c8b76329ba70fd1c464858f9f
RedLineStealer
0d09a4ab3e8ceb83ed61d72f369dafe02bcfee6e57551b3a9077aee0a718aee8
RedLineStealer
589e3d0fa9a36fd20b921f49347b072cab0a92174ff5f4418d11f52b745066ce
RedLineStealer
80c13f76051a4426e06c7581bdcaba65b79e497761d7329e306745d2150d1f43
RedLineStealer
8c8774aa92f0237e9a8ffbaa0a88a8650c0bc4b465f0296c94e14f58ac97fc7f
RedLineStealer
f08b3a925566dc86f7be4986161b016083df3b388bd60ddd41acd29090af565c
RedLineStealer
+ 733 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:875784825 botnet:logsdiller cloud (tg: @logsdillabot) evasion infostealer miner persistence spyware themida trojan upx
Link:
https://tria.ge/reports/221025-t6321sdcbj/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Identifies Wine through registry keys
Loads dropped DLL
Themida packer
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Stops running service(s)
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Modifies security service
RedLine
RedLine payload
xmrig
Malware Config
C2 Extraction:
51.89.201.21:7161
79.137.192.6:8362
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/52843a1a-a941-48da-b6ba-2f5267373f68
Unpacked files
SH256 hash:
fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734
MD5 hash:
06469b7e7904c634cdab3d3fe18a9ad3
SHA1 hash:
bbeb65a0bd4bbf7a87e0303aee2d9a3dd7c69ef7
Link:
https://www.unpac.me/results/8abde75f-c4ad-4769-894d-71af978b2345/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/324086/

Comments