MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff90905d1abeccc0e92d4856b0f670adc89cfe3a25ea8bf7aff818aeed3ff4cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff90905d1abeccc0e92d4856b0f670adc89cfe3a25ea8bf7aff818aeed3ff4cb
SHA3-384 hash: e7c60186f323c4482c4b7befc26f6d4242af47cc742b323451076b2c1dfe1dbe9aa2de8a45a65ef0650d0b7621b8a97b
SHA1 hash: e0c45079cc38749b424e5e5bfd31f73a4dd8a1d2
MD5 hash: 434af4d968858a19e4402867c52f1d0d
humanhash: artist-failed-cat-aspen
File name:FF90905D1ABECCC0E92D4856B0F670ADC89CFE3A25EA8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:406'528 bytes
First seen:2022-08-02 18:51:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8aa5d6264da1e437be4b2f2dccc9a830 (2 x Amadey, 2 x Stop, 1 x Smoke Loader)
ssdeep 6144:pSy/U3sRYQ3YH8BQQ2dJrBxollc/EnymILoGli75ZLcIfqeZ1RN9:Y6YjQocBQQoJMlDyVl+DLcIfqezRv
Threatray 7'529 similar samples on MalwareBazaar
TLSH T17784C010BA90C035E5F712F849B6926CB92E7AE19B3491CF53E51AEF46385E0ED32317
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.140.115.229:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.115.229:80 https://threatfox.abuse.ch/ioc/841160/

Intelligence

File Origin
# of uploads :
1
# of downloads :
410
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
FF90905D1ABECCC0E92D4856B0F670ADC89CFE3A25EA8.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 05:50:22 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/93da2052-4f6b-49f9-94a3-899c60e359cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296014/
Detection(s):
Win.Packed.Crypterx-9954282-0
Create hunting rule

Win.Packed.Bootkitx-9955672-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62e972289ca9b9bfcbe596b1/reports/6bd10ab4-9c9f-43f5-a003-edf557973749/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47ee8480-721f-4988-ac75-a793ad8d0aa2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045150
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff90905d1abeccc0e92d4856b0f670adc89cfe3a25ea8bf7aff818aeed3ff4cb/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 10:16:52 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=76ijaxi2x3gmb2jnjbllb5tqvxejz7r2exvix55p7amk53j76tfq._file
Verdict:
malicious
Similar samples:
3304124917f11a1403fa3d45855fb6c6ede480ab4092365e21a554757737425b
RedLineStealer
5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9
RedLineStealer
8a0241fb0a7b532549280c4e8e3b0a41b10ed54130c3210669ae0319b37f1547
RedLineStealer
a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c
RedLineStealer
b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01
RedLineStealer
b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0
RedLineStealer
b501929486d595121f8c631059d8778803912e1a6d1e21603417878df4ddcba9
RedLineStealer
+ 7'519 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:8888 infostealer
Link:
https://tria.ge/reports/220802-xhgqnabcgq/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Malware Config
C2 Extraction:
doaisunto.xyz:80
olmilllchi.xyz:80
Unpacked files
SH256 hash:
3ca5a7a8804eda2bbe7f9d69494d66f8a841066bf68f6d2d9a88fc586e015838
MD5 hash:
8457bba168b4b530fc28fa63545e4b85
SHA1 hash:
ec9d2593267cfd9c50119f574a2243ec3c801335
Link:
https://www.unpac.me/results/71b95b8b-1393-4549-b3e8-0b1d1c0c3361/
SH256 hash:
2201e7884d3f8bc1c8dffaa7231c6dbffd1db1b3732f76da7b3c4403262ab975
MD5 hash:
4426251cd058d3e4d62fe5b7f8cb29b7
SHA1 hash:
4d031134328f34b5d58a5bb38c5550c7fdfaf804
Link:
https://www.unpac.me/results/71b95b8b-1393-4549-b3e8-0b1d1c0c3361/
SH256 hash:
ad3d6b4a52b1618d62bc3587b04d83b44142b89bebb892cd153679aa87c3d1d1
MD5 hash:
55a8b7bf26d0fc2911b26ffb9e3131f9
SHA1 hash:
102962d9bccb668ff50c9fb61fe0a86809f261fe
Link:
https://www.unpac.me/results/71b95b8b-1393-4549-b3e8-0b1d1c0c3361/
SH256 hash:
ff90905d1abeccc0e92d4856b0f670adc89cfe3a25ea8bf7aff818aeed3ff4cb
MD5 hash:
434af4d968858a19e4402867c52f1d0d
SHA1 hash:
e0c45079cc38749b424e5e5bfd31f73a4dd8a1d2
Link:
https://www.unpac.me/results/71b95b8b-1393-4549-b3e8-0b1d1c0c3361/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff90905d1abeccc0e92d4856b0f670adc89cfe3a25ea8bf7aff818aeed3ff4cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296014/

Comments