MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05ca14205ad121f0898daf25435e29816e4bded01dd71f0ec263117735768e02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	05ca14205ad121f0898daf25435e29816e4bded01dd71f0ec263117735768e02
SHA3-384 hash:	ce54be86c9e6c0720ee748e48d6a3e385d3f4720ecac707b9669ea2afec33a4582e76158cd7b53acd55c841ef75a07fd
SHA1 hash:	c5718d040381f09a8dd63fd4b1e51bf7975cf5a9
MD5 hash:	f2933766de461b683cabc087574726c0
humanhash:	october-eight-virginia-arizona
File name:	f2933766de461b683cabc087574726c0.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'580'219 bytes
First seen:	2022-07-25 09:22:50 UTC
Last seen:	2022-07-25 09:52:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep	24576:ckIZfL4bY8YKYo4XqNCzVoMVOdv5YcXCdm9ZzdOqqlKgcgLyyTGKl3RuQ55313B:1bWVoc2HXYJlKgcgdl3r
TLSH	T141C50A135A8B0E75DDD23BB461CB633AA734EE30CA3A9B7FF608C52559532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

installer.exe

Verdict:

Malicious activity

Analysis date:

2022-07-26 01:30:25 UTC

Tags:

trojan evasion redline socelars stealer loader rat

Link:

https://app.any.run/tasks/5a3f96f4-769f-4912-83d7-73dedfc9dc83

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293980/

Detection(s):

SecuriteInfo.com.W32.Trojan.HLPX-5019.24887.6268.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/27347/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay spyeye

Link:

https://www.filescan.io/uploads/62de6112a2f481deb965b481/reports/52eb2816-13da-4b3d-a1e0-2a620b05b33e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d7d3aa8f-8342-4e04-b8af-592693efee88

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1040274

Signature

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/05ca14205ad121f0898daf25435e29816e4bded01dd71f0ec263117735768e02/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-07-25 09:23:10 UTC

File Type:

PE (Exe)

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=axfbiic22eq7bcmnv4sugxrjqfxexxwqdxlr6dwcmmixonlwryba._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:toppp infostealer

Link:

https://tria.ge/reports/220725-lcgypabbc8/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

Malware Config

C2 Extraction:

gwarostacara.xyz:80

Unpacked files

SH256 hash:

0d9cba71e25a4b17cb18a6c4e9f1bc8206c67cc0a5be9e56a3e50c2146f49f40

MD5 hash:

16b2837b3f9546be8b796804ac74dea4

SHA1 hash:

9e78a92b44217fceffe188854ffa8a0a5ce524c3

Link:

https://www.unpac.me/results/707e173a-68d2-41d5-bc98-4f51a1aa4f51/

SH256 hash:

05ca14205ad121f0898daf25435e29816e4bded01dd71f0ec263117735768e02

MD5 hash:

f2933766de461b683cabc087574726c0

SHA1 hash:

c5718d040381f09a8dd63fd4b1e51bf7975cf5a9

Link:

https://www.unpac.me/results/707e173a-68d2-41d5-bc98-4f51a1aa4f51/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/05ca14205ad1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/05ca14205ad121f0898daf25435e29816e4bded01dd71f0ec263117735768e02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 05ca14205ad121f0898daf25435e29816e4bded01dd71f0ec263117735768e02

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2258534/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2258659/

Cape

https://www.capesandbox.com/analysis/293980/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample