MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef
SHA3-384 hash: bafb848c56392d7bf7a72ffcbdba28b47bfa5b9aacf7029b70f140daef16a9d94ab5b102fb9cacba61be8aa2f5fd5ee7
SHA1 hash: 0a629b6d207ec4c80207320379369bb83b09893d
MD5 hash: 20e704d3e137459c78beafbbc85a3a1c
humanhash: sodium-fix-lamp-yellow
File name:20e704d3e137459c78beafbbc85a3a1c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'811'412 bytes
First seen:2021-08-12 06:40:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cdfba68edbb115e7aa5ed6776bb6546 (29 x RedLineStealer, 1 x MassLogger)
ssdeep 49152:tVCnOFEGRdoPciiJZFLEl4tnrh6GcbxwDaABntrHBKDyCh/pPZSiS7DXj5V:tVcOffmcitqr/cbxunt8DyCh/pPODXn
Threatray 3'728 similar samples on MalwareBazaar
TLSH T109D5121D2D81CEDEE2C45E37A387E11841B65F22DB2BCFCE56C833E959752A09B066C1
dhash icon 31f0f0f0f0f0f031 (5 x RedLineStealer, 1 x LummaStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20e704d3e137459c78beafbbc85a3a1c
Verdict:
Malicious activity
Analysis date:
2021-08-12 07:09:50 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/fb9aae27-d453-4dc1-8190-72ed506c83d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178491/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46776798.10107.1771.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Searching for analyzing tools
Searching for the window
Sending a UDP request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Reading critical registry keys
Deleting a recently created file
Creating a file
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3006e44d-dd1f-4304-9b6e-c2f3135e1f59
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831493
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 00:12:02 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
01b45d40b3c0e6eb46294b021f2a681572ae10e63b48a38c7e02efcf1ce24591
RedLineStealer
266f8215ba1b531f93fb7567c34088e49ad4de63d9c2726e11caaa6158be9d9a
RedLineStealer
34d14ab08b41d288019d4966b337e5ee13d07cdb652dabf51834bac44c0052f8
RedLineStealer
4eddae6270bea0e72b01601a5d5b186a3abb162239463eaeb67d9d95cfd7cc8b
RedLineStealer
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
RedLineStealer
74da2e5d659f93e151c0c79b2a09691299689ac406c7c5d04d7cfeac79ee7a13
RedLineStealer
88b21d6bda07db2097615a88062328006f0c10d199d4fc5e50483d6fd6abe622
RedLineStealer
acda9ae5a6c865eb3291e1bb7cc41e6b0f86a12e180c984a2f4fcb302505021b
RedLineStealer
d7088573e0239d3260dc7ff251b3b0e1d3979d854b3d0442f7dc43226f9263ed
RedLineStealer
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
RedLineStealer
+ 3'718 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1108(3) discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210812-s281hy23sa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
46.28.204.54:27605
Unpacked files
SH256 hash:
59b9b64f01da506b4cfc3b21b16f68f20dbccc346e739cf46a64da81e6ae5838
MD5 hash:
e8ef6fd02ffd372e292acf702f3b6f1c
SHA1 hash:
c29c127209642dcfa4fb1be97799a937f0047d8d
Link:
https://www.unpac.me/results/4d061c42-dbd0-46e5-9c54-d5292a59784c/
SH256 hash:
0126d59367d6d0204f037118b7da0eff2bbfb237ceceed3b414c9e7d6be83450
MD5 hash:
04680d46a2a9fced44637a24f5e250c3
SHA1 hash:
84fdf067c65c7b42ccde1b164ebf58ccb01b1584
Link:
https://www.unpac.me/results/4d061c42-dbd0-46e5-9c54-d5292a59784c/
SH256 hash:
1c2942b07cc0fe97e490c1490ca53bd1c86808cb0ca2e9ab7f94a690f5a81d06
MD5 hash:
a50140db5e2fec2cc07fa4700c6c9c59
SHA1 hash:
b8547958ab3e5c81b7e78e8b5a8b72888258d3c2
Link:
https://www.unpac.me/results/4d061c42-dbd0-46e5-9c54-d5292a59784c/
SH256 hash:
ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef
MD5 hash:
20e704d3e137459c78beafbbc85a3a1c
SHA1 hash:
0a629b6d207ec4c80207320379369bb83b09893d
Link:
https://www.unpac.me/results/4d061c42-dbd0-46e5-9c54-d5292a59784c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ff721387c09c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1527050/
Cape
Cape
https://www.capesandbox.com/analysis/178491/

Comments


Avatar
zbet commented on 2021-08-12 06:40:23 UTC

url : hxxp://193.142.59.221/blog/images/sp.exe