MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 12 File information Comments

SHA256 hash:	ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e
SHA3-384 hash:	2772a061ee5c1a9d5540ddf785d73f55b7ad1842ac84b25009a0a7e772cdc7e133da115d8880aa42555faecff9b94750
SHA1 hash:	5eb9b7164bba4dc44cf7dabb422b09dcd37be53e
MD5 hash:	b3c1420b33a1a4bfa365bf8f07341414
humanhash:	asparagus-lima-freddie-oranges
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	471'888 bytes
First seen:	2023-10-09 14:19:59 UTC
Last seen:	2023-10-09 20:52:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ccd971500e6b6446ec4def65a9719b08 (4 x RedLineStealer, 1 x PovertyStealer)
ssdeep	6144:OwmEmkoh0h78AQWh2OohFAOOO/nqi4inYqfBcd4Qe+kDmYxoWK:OVEmt+h45LwGYjxeTp
Threatray	425 similar samples on MalwareBazaar
TLSH	T110A45D18798380B1E697C772B6DD87E1166DA4DA2B700AFFF7951E3707603C386319A8
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://faviskincare.com/wp-upl/zip.7z

Verdict:

Malicious activity

Analysis date:

2023-10-09 16:49:29 UTC

Tags:

privateloader evasion opendir loader stealer redline tofsee hijackloader botnet smoke stealc ransomware stop miner raccoon recordbreaker

Link:

https://app.any.run/tasks/a390c87e-4748-40d1-9fc2-b9ab07da67e6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Fugrafa-10010052-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Creating a file

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a window

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/65240c13e509ddb6cd1d6146/reports/2cf5f008-4fdb-4ae6-8e72-c26967ca1514/overview

Verdict:

Malicious

Labled as:

TrojanS.F23C58EC

Link:

https://www.hybrid-analysis.com/sample/ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec045255-c82e-4912-a166-5cae74788085

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1322239

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found API chain indicative of debugger detection

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e/

Threat name:

Win32.Spyware.TrickBot

Status:

Malicious

First seen:

2023-10-09 14:20:07 UTC

File Type:

PE (Exe)

AV detection:

20 of 22 (90.91%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=766w763v455tilz4vj3ssjko6xobtddyhj4dcdlusi75q3hemfha._file

Verdict:

malicious

RedLineStealer

069eebbc0d62641b23088b3c6561ff8367716f814195ecab325c59ae4e3a0586

RedLineStealer

3b7aeba8e0fcfabaedea717f6f08fe210f1d441b09daa3e11e4ee5c58acb04b9

RedLineStealer

5c8433a27512bd58126d9c22b0f755659033b1913af1bd441c8953ea417bcc8d

RedLineStealer

831e1887de32640a9d66dc993eba2c31a7e01f017f69051cc8b94e76fd4bf51d

RedLineStealer

a3e882db2dd600a2dd0f594b781f68235af8b91c6a5e98ef68a5a959e97ace2a

RedLineStealer

e34ae89a36844c63acdb1ce9e7e079965a580628f239f37d47cdf7968f41d62b

RedLineStealer

fcf244a20604eed1b9472af2c2437b836651f2465e626101754bb6ef0c5c8416

RedLineStealer

ffc6d3189c1ed2f9a20be4f0d140a3622c21d9736033006e5f8b4a64b7184b22

RedLineStealer

+ 415 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:smokiez285 infostealer spyware

Link:

https://tria.ge/reports/231009-rpjwpsdc9z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.169.175.232:45451

Unpacked files

SH256 hash:

2badafa867fda2f72ddb7a8491dc64f8a0757ff07d4f512edda5900d3be74d65

MD5 hash:

6583555afa403cca26d68c3a9386fd68

SHA1 hash:

c071a264674ccc87fd4b865e9164f6b0eac62d9a

Detections:

redline

Link:

https://www.unpac.me/results/bb9ec510-df4a-4492-aacf-97f3fa4a25ea/

Parent samples :

be8ec715501cffc350a70f6152f1244907091af202e574b38c4b8e9077e2d7e8
ea12961ab4496771ad1f6056a294a335d60661a725e98f7a443cc45e4826860c
63a2e4ff605edbe78b72027f63b1ee37f76dd48c1a216e4f42a819cab7b57179
40a90e628cc075526434cf155a464239f8f6a6dc9157788dee5b5209943ab67f
9cc458ba7d97a5db07e7a42561b0d55e4adfce7e41a4a477b06e3b0fd5e871bf
d78ba749c5162b591ec8b2e8e70fc758bd545f86c05b05c47d4d0388833bd498
c13ef6f741861e02f505fcd7dd8e5f770c5e0b70167e65c6fa14b59067a3e2cb
d3595d8ed1b9f2ec77f0c654fe92e8397ffbd9cae6615f87f68fd0442d6229cc
34827a66a28b9fad1b1f0daeb1f4d15185942df647207305d94f00e6be2a689e
4f90d97f3ef33851bba630cb781820f861144c97b7b962363ba18ee9bd72a7c2
53a93577991f5ff457ce602fbdb133754cdbb3b3d73300aeacb5640819a1920b
71580dae1707ba6cf9590f966cb9f3af646f413c2f418de864da8f2148b76b25
7facbc0f3f99b780c838a040234fc2e1315bd3d3acadc0ee0226eb890e891605
10816d319e9567cf374028eb1e510a5459eaf757d92358c2c11f36bc23186d21
97d9696f980554aa1ac89abae70e947e83875a399f346026722e01c3bfc685e6
ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e

SH256 hash:

ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e

MD5 hash:

b3c1420b33a1a4bfa365bf8f07341414

SHA1 hash:

5eb9b7164bba4dc44cf7dabb422b09dcd37be53e

Link:

https://www.unpac.me/results/bb9ec510-df4a-4492-aacf-97f3fa4a25ea/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ffbd6ffb75e7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2706937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample