MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff77b3faead625a06b88799a3c68d56f60a4bece30c70c37cdfd5591b283976e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	ff77b3faead625a06b88799a3c68d56f60a4bece30c70c37cdfd5591b283976e
SHA3-384 hash:	535db65ebe8c0f93dafc000f259b31fd7c546927f5863ae7f519ad1841d14c55d73ab7bc75fbe0eba568764b294e345d
SHA1 hash:	ca567bc616c72bf4b6110bc8c02ecfe759434434
MD5 hash:	e1d24b9f3988fa959c28d5b6c71a15d3
humanhash:	leopard-video-leopard-eighteen
File name:	ff77b3faead625a06b88799a3c68d56f60a4bece30c70.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	335'360 bytes
First seen:	2021-12-13 04:40:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7f4d3b921ad5f29f447de130848647e5 (21 x RedLineStealer, 3 x Smoke Loader, 1 x ArkeiStealer)
ssdeep	6144:ch7nyppNmwPa5bRPUKzr9MFjhuQ/zHmudb7ITsq13tB2T:cRnytmsibRPBMv37mm7k3/2
Threatray	3'319 similar samples on MalwareBazaar
TLSH	T1D664E1C175A0C871C5A36935A439CBED4D7FB960EB20808B77742BAF2F72BC15A21752
File icon (PE):
dhash icon	327e7c7f727e6e72 (3 x RedLineStealer, 1 x ArkeiStealer, 1 x DanaBot)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.79:11452

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.79:11452	https://threatfox.abuse.ch/ioc/274680/

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ff77b3faead625a06b88799a3c68d56f60a4bece30c70.exe

Verdict:

Malicious activity

Analysis date:

2021-12-13 04:43:34 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/80949aaf-3a7b-45a7-aff9-f941f8a4ad8e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/213478/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

DNS request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/1746/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61b6cee12a069372660fd9b0/reports/25fa5538-5e9b-4d7a-a911-fbb2ad075322/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d37b7298-8901-42b6-b3af-1efecc6c9f70

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/906130

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff77b3faead625a06b88799a3c68d56f60a4bece30c70c37cdfd5591b283976e/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-13 04:41:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7533h6xk2ys2a24ipgndy2gvn5qkjpwogddqyn6n7vkzdmuds5xa._file

Verdict:

malicious

RedLineStealer

258e71867219339212128905ae82205efb2a3a11edff805f22b15d18af9413c8

RedLineStealer

3f325a237265eac17786e79dab8fd11688d7022755982385b8ee17de035570d5

RedLineStealer

6ed0e0fc4fc180454a9ebb07cf9cebecdc7595bde25f883f0360e1fc5cde77a3

RedLineStealer

9b009a24ed2022a348e82514b039cea11b468365e0cf58ae5bb217fc3c391493

RedLineStealer

c2dd287121b9ecbd07a1f4ca65b433e2d56df56f360c7f2037d17845a9705f5e

RedLineStealer

+ 3'309 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:testing discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211213-fa4rsaedcr/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.79:11452

Unpacked files

SH256 hash:

183b185c1b25d310a2816a7bda75d533d5d7aef0ae7d793987e6de434041f208

MD5 hash:

b957420ca5d155b5d19e8650864afc9e

SHA1 hash:

b74df6ee15a4c4ebd26b2a6cf71b956fc7b81c03

Link:

https://www.unpac.me/results/f0fc17bf-55eb-4d0e-be3b-6db6f4599f2c/

SH256 hash:

dad6ded14cd69de61be50307e0ec2accecab4eab7c053f4306e7faf9f71d8c58

MD5 hash:

76b36ed29e880f28ca7f3986b4549234

SHA1 hash:

9d4490e452af9b95bae53b9eb563978e9e311782

Link:

https://www.unpac.me/results/f0fc17bf-55eb-4d0e-be3b-6db6f4599f2c/

SH256 hash:

b00d72f0657953addde4c82229b46d2db195fc9b62c7dfb0122855837f70d198

MD5 hash:

08a5af582abf63d910a4dd87eb5c8592

SHA1 hash:

46badc306bd8526a7adf4df93b34c5f2dbfc7ad9

Link:

https://www.unpac.me/results/f0fc17bf-55eb-4d0e-be3b-6db6f4599f2c/

SH256 hash:

ff77b3faead625a06b88799a3c68d56f60a4bece30c70c37cdfd5591b283976e

MD5 hash:

e1d24b9f3988fa959c28d5b6c71a15d3

SHA1 hash:

ca567bc616c72bf4b6110bc8c02ecfe759434434

Link:

https://www.unpac.me/results/f0fc17bf-55eb-4d0e-be3b-6db6f4599f2c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff77b3faead625a06b88799a3c68d56f60a4bece30c70c37cdfd5591b283976e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/213478/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample