MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
SHA3-384 hash: f2a837fbf5e76f7c388e771facb22226ad7cb5f18f65985e7dffdef57195491984d5069120da438fdecfbb2d63192d3d
SHA1 hash: 0766beb4e4dec3196f95e10044e792862ca83c3b
MD5 hash: 8fa8bfb9b75a7c33d9d8cc65a7172a7c
humanhash: nine-sixteen-football-mobile
File name:SecuriteInfo.com.Win32.CrypterX-gen.22852.32393
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:356'864 bytes
First seen:2023-07-24 02:27:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 795d5374158688612616ccbdb5ba25ba (8 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:96Hvnlv6gvTGZEcf0WZbns5RTMxZKbZOivUK894s/P:knZ6OTGZvNZbns5R+sgaU/9r/
Threatray 179 similar samples on MalwareBazaar
TLSH T1BC74E02236E1C072D4A746304934D2A61E7FBC626B7585CF37A82B3EAF712C09E75356
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70c0ddd2c1d8d2dd (1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-23 22:51:05 UTC
Tags:
loader smoke trojan amadey fabookie stealer ransomware stop rat redline vidar arkei miner
Link:
https://app.any.run/tasks/cd002026-b9c0-4463-8442-8dc0a0984029

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430517/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.22852.32393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dcea70e6-25b2-4b17-9e92-06eb3db1bc8b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277968
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2023-07-23 23:09:45 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6wv27afadf55obxvu7ebfdknph4umps42hpgfqqmuj7idulkxgq._file
Verdict:
malicious
Similar samples:
0053d1419ec04041f1603063f4e7c0a6a370025de08a0bb69897cd6c757f1bb0
RedLineStealer
11878766a2a00d5bbc7774f4697c78d29fbd54293ca264eabf208691f85bbd14
RedLineStealer
3165f664c4c755bd9715a7f004b98f1990a2055aa1ca4ab8ea75bf2d7730dfcc
RedLineStealer
64365156896ff3b41790a7b0dd38bf1efb985a4e5e35135883b34ea69a85b508
RedLineStealer
7518f251ed3872355b637119033fd40e900fdfcd2955425f243951f40279bcfd
RedLineStealer
75f9db664373b1e957799e65139d1468c7cc7f39ce171c100b875d886cda0690
RedLineStealer
7ed395afebf774d7e1e0ce47b88445afc2a8b9811c94553f6923ba4496ce9962
RedLineStealer
8a9e291a57a70f07a7d3b0aee7f05b8268a5af104b1bbafa571d8d662fcd66b0
RedLineStealer
e4bb056a390bf88d2e2b2f578b5a4cbb6b4eb9d19a8f7998642bd46585bd99ec
RedLineStealer
e8d7197a7c6ba760b398ebe50fb5ca8770e454fca9da731438eb329b8db56c3d
RedLineStealer
+ 169 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230724-cxz6bsab3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
149.202.8.114:26642
Unpacked files
SH256 hash:
1161f2aaede4428d7c5ad55c68d14531c7459a2a946e9b946553027db4087b9e
MD5 hash:
5b9e910f14c9664c591d075ccfdda0c3
SHA1 hash:
dbbbe03ec1f8b19d8ae3c39912c7cc07d35c0fe3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8cd6e511-27ec-4953-aafe-8cc5a832cd19/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
cbb2b3d88f8407ad3533d49d83ee97450a946073cbf9eface7bf8a0aba6a2977
MD5 hash:
1170152a8e1dc3e4b9c38d8146362e81
SHA1 hash:
d1a14beb19d4242e9237c59d5b5d85a3c2c70aa1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8cd6e511-27ec-4953-aafe-8cc5a832cd19/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
ae08b6ce7cdd04919c987c48a8e1fd11316e15f8071c063e8060251ba49e092e
MD5 hash:
b9ac7ada76639bf533b86fc0ae86597c
SHA1 hash:
74ce4a5df518a85c44d5d51fd3213fd6da36940d
Link:
https://www.unpac.me/results/8cd6e511-27ec-4953-aafe-8cc5a832cd19/
SH256 hash:
ef904719bce27fd4ef1e3221cb658a1ba93f7fafccc16d6e0ffb00a1bfb399e9
MD5 hash:
3c81ebdb4f2dc1f98485343dfeaedce5
SHA1 hash:
0ce97f6e8d3cdac8b68329d57b4d16873d6ed167
Link:
https://www.unpac.me/results/8cd6e511-27ec-4953-aafe-8cc5a832cd19/
SH256 hash:
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
MD5 hash:
8fa8bfb9b75a7c33d9d8cc65a7172a7c
SHA1 hash:
0766beb4e4dec3196f95e10044e792862ca83c3b
Link:
https://www.unpac.me/results/8cd6e511-27ec-4953-aafe-8cc5a832cd19/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07ad5d7c0500/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2688463/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2687902/
Cape
Cape
https://www.capesandbox.com/analysis/430517/

Comments