MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0081ce7f8c3a50f714bcdf68069b66827e59bd089b2e1d9adabdaa58fdb51464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	0081ce7f8c3a50f714bcdf68069b66827e59bd089b2e1d9adabdaa58fdb51464
SHA3-384 hash:	9204b33cc6e9218a30545f3736b36de256a244d0e5442cf14b69ca1c106a72ca11fafc06f48df388f9e50757f4457875
SHA1 hash:	89f61381c1761e7f2a8b015115f4e52a143d3344
MD5 hash:	4722177da1ba43063aa5fd54ad499cd4
humanhash:	carolina-iowa-nuts-pasta
File name:	4722177da1ba43063aa5fd54ad499cd4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	417'792 bytes
First seen:	2021-10-26 21:16:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc12fa1c06b94f51dc8ec5d000654e41 (2 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	6144:KG9x0887NUkHsVbvohFTg2HUCrSM/xuQqRFCaAAUxCdThNbRgT8t3ewQ:KG7DcsVbwTxHFr1dMEMUxCdThNGotu
Threatray	1'386 similar samples on MalwareBazaar
TLSH	T1EE948D00FA91C039F9F322F449B99368A52E7EE15B2460CB63D55AEE47356E1EC3131B
File icon (PE):
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
94.140.115.194:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
94.140.115.194:80	https://threatfox.abuse.ch/ioc/161418/

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/200345/

Detection(s):

Win.Dropper.Chapak-9904235-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Launching a service

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6178704fdb358dd15eddaa2d/reports/4a90150a-fa4a-4385-b918-91c34c047fb2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7eb907d7-4676-4709-ba03-d699b89b5d2e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/877374

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0081ce7f8c3a50f714bcdf68069b66827e59bd089b2e1d9adabdaa58fdb51464/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-10-26 21:17:04 UTC

AV detection:

33 of 44 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aca4474mhjipoff435uang3gqj7ftpiitmxb3gw2xwvfr7nvcrsa._file

Verdict:

malicious

RedLineStealer

3aeac75dedb84f873b1982843de3adcf11d956f1645eb7a91625de0dd67f1f8a

RedLineStealer

45d8a91be1d071837969fc7801a224b06e918bdc813e7ec14348abf8d0810312

RedLineStealer

47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80

RedLineStealer

4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7

RedLineStealer

6e0f67620da1ee82c0cfc0c166f2a027fdd8af9c8f4622952b19bed41de60b7b

RedLineStealer

a2c3a1451cbc854d4b5929132eb96e9e34b2a1f3bedb490b26699381bb80eeee

RedLineStealer

a84ff17c2a70d4953ce67e44cf6a3160feaf4a13d3bdad4aefe94810ef124c44

RedLineStealer

c74a02a5fb3879870c5c5b0ead39c54dffd97ee414cae94360c6dd12d9d023ae

RedLineStealer

+ 1'376 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:666 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211026-z41rrsach6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

oucesesstor.xyz:80
edaycamanel.xyz:80

Unpacked files

SH256 hash:

418eb14a3bcf6529893cdb03b549d99f01761da2b89188f38e2575fec6eecb3a

MD5 hash:

54dd19e34e858236361af2f77cc88c7a

SHA1 hash:

d8a8856b73a3ef9696e4b142152c97f91592f390

Link:

https://www.unpac.me/results/1be9f362-b0ab-4dcc-ac3d-f77b4ad5ddc6/

SH256 hash:

7d9d01463f2234205024f3326b2a565f8e94f1f6a899a3a57dff42e001fb0309

MD5 hash:

941a11ada059b9710ae7286088330246

SHA1 hash:

2a476b1ea97ce08aabf8f799db85534773b4b99d

Link:

https://www.unpac.me/results/1be9f362-b0ab-4dcc-ac3d-f77b4ad5ddc6/

SH256 hash:

e7b6e9fab20416e9b2232bac8b55ba04e544558c633954a31a562f25b6bbd6bb

MD5 hash:

db4d6bdca29030f034a7dfb5558402e3

SHA1 hash:

19ae27ca6f8623f24a781ce7aff81dee5a25b97f

Link:

https://www.unpac.me/results/1be9f362-b0ab-4dcc-ac3d-f77b4ad5ddc6/

SH256 hash:

0081ce7f8c3a50f714bcdf68069b66827e59bd089b2e1d9adabdaa58fdb51464

MD5 hash:

4722177da1ba43063aa5fd54ad499cd4

SHA1 hash:

89f61381c1761e7f2a8b015115f4e52a143d3344

Link:

https://www.unpac.me/results/1be9f362-b0ab-4dcc-ac3d-f77b4ad5ddc6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0081ce7f8c3a50f714bcdf68069b66827e59bd089b2e1d9adabdaa58fdb51464

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/200345/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample