MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07899feb537cc56e09bf7a16e0ee7d3698922a88eeb5e088e1d22d7cc964c838. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	07899feb537cc56e09bf7a16e0ee7d3698922a88eeb5e088e1d22d7cc964c838
SHA3-384 hash:	b3e7e482426ec8fb3202f296e91cc4afdcfe832334e7494aca58f59fcd18b932c45b944d28c9c30374ecd17ec3b15bc7
SHA1 hash:	0cc3eeb8ed7cd50db3c0535d33c70175b0e2227a
MD5 hash:	a7fba2f7ca65a1bd38f0a07d71404b45
humanhash:	low-november-nine-enemy
File name:	a7fba2f7ca65a1bd38f0a07d71404b45.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	597'912 bytes
First seen:	2021-11-08 15:50:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:guTyXW06HFAt4u914Dl6oDPc5VlLn64/GjePhZr3B7SqHjIrUplcjk0/oOQhj8/+:yX46zU8Dh9Zr9Pwraj8/+
Threatray	2'302 similar samples on MalwareBazaar
TLSH	T143D40E5D22C2FE30C9A51A3686E3F510AF3120E7435387CB5BDA95C05635027EEE9AB6
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://194.180.174.182/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://194.180.174.182/	https://threatfox.abuse.ch/ioc/245154/

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/203329/

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated overlay packed packed

Link:

https://www.filescan.io/uploads/61894767dec33478259fbbb9/reports/18b0107d-f165-4807-8b02-82be34849917/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a474ae7-67da-4b2c-a79e-54730a0811f5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/885375

Signature

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/07899feb537cc56e09bf7a16e0ee7d3698922a88eeb5e088e1d22d7cc964c838/

Threat name:

ByteCode-MSIL.Trojan.Bulz

Status:

Malicious

First seen:

2021-11-06 03:55:00 UTC

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=a6ez722tptcw4cn7pilob3t5g2mjekui5226bchb2iwxzsleza4a._file

Verdict:

malicious

Label(s):

raccoon

RedLineStealer

44e4f61a0d347cf7f59f8a1f545832b1ca375398f234feba4d0d06e4cb5031b3

RedLineStealer

7c7a666762a9ddf937c9cec874b597523bc0dd2ca10624db4f1c72430462a60e

RedLineStealer

94cbc6a1b4cc99bbfb3824eab5720009773c04a2b4e628789d7db4f824a78201

RedLineStealer

979489468d527202ce55a465799013a16fccfcc838d523707a016e064a0e85a1

RedLineStealer

9c8590c7165b453dd0792be3cf51e200961a1ed9cf1154768ee86f7018db8fd9

RedLineStealer

cc005ad9ad8411fda8398597954ce4f4210c978367f996e05ce01bba2833986c

RedLineStealer

e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13

RedLineStealer

fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957

RedLineStealer

+ 2'292 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:raccoon family:redline botnet:34b5c357572382155552cb40207e952f9f95264b discovery infostealer stealer

Link:

https://tria.ge/reports/211108-tagh5scdc6/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks installed software on the system

Drops startup file

Downloads MZ/PE file

Executes dropped EXE

Raccoon

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

185.215.113.205:65531

Unpacked files

SH256 hash:

e04720c7d311decb0049e561daec87c8bc4cdc764ee1e1f47c494f44ddd9fec1

MD5 hash:

0900fe46000f1ce6408b4401058e281c

SHA1 hash:

79184c26f55e129a5c2a4ff3c60a7c87eb2775ed

Link:

https://www.unpac.me/results/d4e3df3d-432a-46e0-8ad8-fccd8ed41ebb/

SH256 hash:

07899feb537cc56e09bf7a16e0ee7d3698922a88eeb5e088e1d22d7cc964c838

MD5 hash:

a7fba2f7ca65a1bd38f0a07d71404b45

SHA1 hash:

0cc3eeb8ed7cd50db3c0535d33c70175b0e2227a

Link:

https://www.unpac.me/results/d4e3df3d-432a-46e0-8ad8-fccd8ed41ebb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/07899feb537cc56e09bf7a16e0ee7d3698922a88eeb5e088e1d22d7cc964c838

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/203329/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample