MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e
SHA3-384 hash: 7679a817917b187b2550be63ef31e0f72c4b0f6c36d8b18274d08a4a3d9477c642af8809623b904c2442d4a99f41efdd
SHA1 hash: 0ce43b1289e27638ac3daa44541d7b05fc1a4bb5
MD5 hash: dec23ae7a89a24561d5289fc65bd1978
humanhash: kitten-green-two-apart
File name:dec23ae7a89a24561d5289fc65bd1978.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:361'472 bytes
First seen:2022-09-15 18:13:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c317da9f6fb91f599af70d4195d9cc37 (2 x RedLineStealer, 2 x Smoke Loader, 2 x DanaBot)
ssdeep 6144:9FuVMTNeyvuCx3t+FwTVcpGs4benmS7rzpiqvBIr9lIgDuSp:XPTEyHxd+FwTsGsbmGTvBIr9ljn
Threatray 7'236 similar samples on MalwareBazaar
TLSH T11974CF10FB90D435F1B712F44ABA83A8B93D3DA05B2595CB62C566EE163C6E4EC30397
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c8d8c8c8e0e4a099 (57 x Smoke Loader, 55 x Amadey, 20 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
dec23ae7a89a24561d5289fc65bd1978.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 06:48:46 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e9a5afab-b2b8-45c7-b094-0f6078197f5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/310330/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Packed.Bandook-9958944-1
Create hunting rule

Win.Ransomware.Tofsee-9968431-0
Create hunting rule

Win.Malware.Crypterx-9968570-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37747/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63236b76b564f001cc8ad45b/reports/72a078e0-918c-417a-8460-89297081f580/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2277e0ea-e4bf-4612-a3a0-685fac20baef
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1071172
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 10:56:59 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
24 of 25 (96.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aix5pgsfy5rpgfvuqdfuylkxrgrxue4irw7tpi6whxxbepktgfha._file
Verdict:
malicious
Similar samples:
2db89e88a102f12c5cfb4461367873df2b13b86ac40a0be742cf242934d2a8a4
RedLineStealer
4a6049e6de1d7de6e6c0d161e5ab6a176a8b1a11a9721f9fd9d63838fef5c74a
RedLineStealer
d86b58b1f89ce520035d9e88ccea2b4970ae7db7346bedd8317f03b4f2050f7e
RedLineStealer
ea4be78e52fa24922f39ca1b4d8f4f8e7404a23772795f383108a0b0a0222895
RedLineStealer
fe5834a2aa5f28f0376efeb45429c010a1d6366bf050b7c18fbbb0b4d6b43481
RedLineStealer
febeda5fb81c061a437226e0fda9dcd638a5072c658391005e15872df45b54e5
RedLineStealer
+ 7'226 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:twick discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220915-wvax7sdgd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
trustedwicky.com:80
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ac029fb4-31db-4a85-9de6-3758535e7698
Unpacked files
SH256 hash:
802a298e6c48b07a31e973c456c710aec59fa83e3437187fbc6b2299fcc6fea6
MD5 hash:
f734d4c4d6ea2cf6d54678f72aa75565
SHA1 hash:
e6502ba5c04f1bd428fe39725a08e90a2f4e8e1f
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9c188603-b83c-4758-8d19-2876c3cf4cfb/
Parent samples :
fe5834a2aa5f28f0376efeb45429c010a1d6366bf050b7c18fbbb0b4d6b43481
7d03927f45c63053987c30bf6d97a76caebe911f74e43f70ded76f9152c5822a
2db89e88a102f12c5cfb4461367873df2b13b86ac40a0be742cf242934d2a8a4
febeda5fb81c061a437226e0fda9dcd638a5072c658391005e15872df45b54e5
7f6fd9c407a66994d1f6ba421efd3db0d93192697ae121ff60aef42ce55d784b
1669c3d6840415926e728047acf0d65c480f5e0a6d1d29949d132ea7150e17af
9b259ec3a437b5e08ca516b3d53855712c1ca6d90faaf0bebfde16d5e8abef3c
8ab68f303ee17c11fe89c662019d816f1326751f2b3f902ca33c9fccae67c469
dee281401432f47dcfc1150d6427b87c7111885b8747d3ce306d8b91d0184832
022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e
SH256 hash:
7a16345c6e274828e178caec76d585ddc78b34183a74f84932dc8a0df550e268
MD5 hash:
9b7c1e93a4ee412dc91be4649c0b3d6e
SHA1 hash:
9e10b3453d253ee332d22e3dba3dc7f31d67ef7b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9c188603-b83c-4758-8d19-2876c3cf4cfb/
Parent samples :
d86b58b1f89ce520035d9e88ccea2b4970ae7db7346bedd8317f03b4f2050f7e
51ce050ec66597300ff961139dab2abc9cb5348cf275696a39c5886e0b6fc5e5
4a6049e6de1d7de6e6c0d161e5ab6a176a8b1a11a9721f9fd9d63838fef5c74a
fe5834a2aa5f28f0376efeb45429c010a1d6366bf050b7c18fbbb0b4d6b43481
7d03927f45c63053987c30bf6d97a76caebe911f74e43f70ded76f9152c5822a
2db89e88a102f12c5cfb4461367873df2b13b86ac40a0be742cf242934d2a8a4
ea4be78e52fa24922f39ca1b4d8f4f8e7404a23772795f383108a0b0a0222895
eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37
bbee99aaf8f3ca2de2bba1f06f3e28d575eedea2a45c937a15a0bfd0527d7055
febeda5fb81c061a437226e0fda9dcd638a5072c658391005e15872df45b54e5
346901c9261b0370213dffd8fa6fff7059bc18c25bbde946f719d4aa01eb5836
67667646094e5b11c14024e8166a2c5d886e36e239948857efb5a25b28f56fcd
7f6fd9c407a66994d1f6ba421efd3db0d93192697ae121ff60aef42ce55d784b
d54ea4b1eb7deebeeba9c49fbc8d89ba4fd1dab364e763df267c5816eb360001
760ae13e5932d1b7d919c9cfb6f1bfe04ad8ede002c32df88a2f0c9351fec9f8
1669c3d6840415926e728047acf0d65c480f5e0a6d1d29949d132ea7150e17af
f5c997104a3ce96c7331e8301bdfefebeabce8232a168cd8c67243d8d96f893c
9b259ec3a437b5e08ca516b3d53855712c1ca6d90faaf0bebfde16d5e8abef3c
04930e90c4a7907f5ec414e46ebad33472cacd105c7353651e65ee6d2bde62e4
8b2af94f8cae9584369aa02d3dc1550be4297b6c6fdfd959b51ea0563a0ff79d
fd182dfc99b5055afee5c281a511c9b8c5716af9767a9e78e9eec90e0edeb1da
8ab68f303ee17c11fe89c662019d816f1326751f2b3f902ca33c9fccae67c469
dee281401432f47dcfc1150d6427b87c7111885b8747d3ce306d8b91d0184832
7e267701b49da697a35ecde1e2d72b67e38ff0c30d0b5afb9ead0f453e931d62
21c5f77bfbc542e75028606b987e5e6416910e6524c393cf0166dc586a1d00f4
e0b71019ee4946e670a9774bb11800749b83ab9330e966d223d03c43b12b08f6
c7e6f33ef6015f109574556fd649eb1737b7240d7cf75e4b9b10e79f72ff6123
bcae63856b1766f554ffa2b915eaf6ba7c65846ae0d050e7ef752b84249d0b01
022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e
SH256 hash:
0335b65fc6dcb1a376bd81b19bf6ec054728dad9411b2f78be0ae807fb32f217
MD5 hash:
ccb58db24fb5af8c8788450f8dcbe0e3
SHA1 hash:
1a489d3a9ae0ec20592a674f04c43be307451d0b
Link:
https://www.unpac.me/results/9c188603-b83c-4758-8d19-2876c3cf4cfb/
SH256 hash:
022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e
MD5 hash:
dec23ae7a89a24561d5289fc65bd1978
SHA1 hash:
0ce43b1289e27638ac3daa44541d7b05fc1a4bb5
Link:
https://www.unpac.me/results/9c188603-b83c-4758-8d19-2876c3cf4cfb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2277404/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/310330/

Comments