MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffa5b15bc096c99154accf4e22b15f18c175cfca1480fe08afc47031efd0337a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	ffa5b15bc096c99154accf4e22b15f18c175cfca1480fe08afc47031efd0337a
SHA3-384 hash:	2987b64a5ffd39ba39817d1b097780c5ac353121a7735b870fb72abee23f8f702ec105253994caef46093d59c69e6a78
SHA1 hash:	a0ea58ecf6802e892798b8d897d3e59f0e4a2484
MD5 hash:	7faa223aa1328ec1dcb70d993c23e844
humanhash:	sad-pasta-stairway-helium
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'466'568 bytes
First seen:	2022-09-09 15:22:10 UTC
Last seen:	2022-09-09 18:39:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	24576:Ck7HTrcBI6hANu8/a5hBfIZhqsakcSOEIMiBF7d0WXVouuh0GnAaT6R1TLutdu:CkrTAB9Au9jBfwhPcSOnM6RDXG0OGR15
Threatray	3'593 similar samples on MalwareBazaar
TLSH	T19A65232071D0C2F2C9FB253544EACB381D3239A4077A64E776DADBEA2E157D1A3361C9
TrID	56.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.1% (.EXE) Win32 Executable (generic) (4505/5/1) 3.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Ⅰ Ⅱ Ⅲ Ⅳ Ⅴ Ⅵ Ⅶ Ⅷ Ⅸ Ⅹ Ⅺ Ⅻ
Issuer:	Ⅰ Ⅱ Ⅲ Ⅳ Ⅴ Ⅵ Ⅶ Ⅷ Ⅸ Ⅹ Ⅺ Ⅻ
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-09-07T20:19:15Z
Valid to:	2032-09-08T20:19:15Z
Serial number:	43f4e6ab92e40abf49f999adb550e170
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	2f9037fb1fe320c936c45b5fdcc4d865439a43c1db835e34cf9687b18fb4f6c6
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc425378894_652132345?hash=k4EIAisQxozJcfWwI2k8Vzi037TKR5ChvYgwQkB9JLP&dl=GQZDKMZXHA4DSNA:1662736517:z5IR0BGmeJ3KAzgSNHZXpD5ZTdnT5mCU7mElae9duPT&api=1&no_preview=1#galaxy

Intelligence

File Origin

# of uploads :

# of downloads :

376

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-09-09 15:24:12 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5eb93cdf-2c7c-448e-8c38-ea2dee4d0829

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/309014/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file in the system32 subdirectories

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Reading critical registry keys

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/37222/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EnumerateProcesses

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

60%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/631b5aaaa90642bcbbf61263/reports/0f525221-45f5-46f2-8dec-e795e56cd6c6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/010e1f33-f099-4054-b08d-11dd9ee70cd2

Result

Threat name:

AsyncRAT, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1067863

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

PE file contains section with special chars

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AsyncRAT

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ffa5b15bc096c99154accf4e22b15f18c175cfca1480fe08afc47031efd0337a/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-09-09 15:23:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=76s3cw6as3ezcvfmz5hcfmk7ddaxlt6kcsap4cfpyrydd36qgn5a._file

Verdict:

malicious

RedLineStealer

0fa2ae13901ac7783648fd03e6fda7bbd0b92951956a2c34ac459e502968472b

RedLineStealer

13f0dc7a12f1bc8d4a79097e51f673358380cc825fbf892f696fc8355c52b838

RedLineStealer

21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421

RedLineStealer

547e2bd845ba9e62e711c1a787225bb6b55c8d13d446dca7ee1cc3b2d61f0d8c

RedLineStealer

888b5e39aafdf0f8db93b08e9e6dfc59430c54d1c7ca844f626645e00101ac32

RedLineStealer

9ea6a9492a5d62161f14fbb77d7e0c5a8507d92a9fcbcc110cd0a3d867e61c68

RedLineStealer

a9f13964a225099d83f98a44023f8501c138c31a585bf9340dab2424cfc9a926

RedLineStealer

bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f

RedLineStealer

cb3df9a9c73428751b722ae2dfbce2d04b46125d6aa5f69164e73f0f25ccfc8c

RedLineStealer

+ 3'583 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220909-ssf5nacccr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

c8ba5e6a0aca2de92df825a004e93d0d41281025f6ad5e084e59629ba9568361

MD5 hash:

84f60014a29eccd0a135f9d89d300fe1

SHA1 hash:

e6e56589328968787b48757030c8e69dded87eae

Link:

https://www.unpac.me/results/d00c0985-0d00-44b6-867a-b94af74f47fb/

SH256 hash:

d6e67e10626f1f779c5bf29dfb45d5fe8b9bc111daae720c0f43682f25686cab

MD5 hash:

911928ab5803231074200c42b3387bbc

SHA1 hash:

86de42479a076dc600df088fae179b47ab6ee046

Link:

https://www.unpac.me/results/d00c0985-0d00-44b6-867a-b94af74f47fb/

SH256 hash:

ffa5b15bc096c99154accf4e22b15f18c175cfca1480fe08afc47031efd0337a

MD5 hash:

7faa223aa1328ec1dcb70d993c23e844

SHA1 hash:

a0ea58ecf6802e892798b8d897d3e59f0e4a2484

Link:

https://www.unpac.me/results/d00c0985-0d00-44b6-867a-b94af74f47fb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ffa5b15bc096c99154accf4e22b15f18c175cfca1480fe08afc47031efd0337a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/309014/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample