MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 157650a417bac6874b180b9e1603ce39347940c605ec3229d99771992c394ea5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 157650a417bac6874b180b9e1603ce39347940c605ec3229d99771992c394ea5
SHA3-384 hash: dddac87b0127251e2d74928cf183cbb436740e6e1cd0d0d5fe89ac22cbbb93522a8925557a86c8994b54b720b14a5b21
SHA1 hash: 1e2a711c4e594aaf778a4169b2a5cc20fb18f832
MD5 hash: fc593bc2e4935812234f64f652261652
humanhash: lithium-ceiling-echo-hamper
File name:cryptogeng.eth.etherscan.com.clean.bin
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:267'776 bytes
First seen:2022-07-05 12:35:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9773753d57b15fd8f7203b9820b8a12f (1 x RedLineStealer)
ssdeep 6144:1rjOUFDSQU/Hx9bqmAO4vljBGggWbQpa:FjOUVQIBabpa
Threatray 4'898 similar samples on MalwareBazaar
TLSH T13F44AE4131D1B472D5731C3289E795B04A3EB9FE062E497B6B890BBE0FE40B0DF19996
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter iamdeadlyz
Tags:bin exe RedLineStealer


Avatar
Iamdeadlyz
Targeted social engineering attack against samczsun
RedLineStealer C&C: 193.124.22.17:23520

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
cryptogeng.eth.etherscan.com.clean.exe
Verdict:
Malicious activity
Analysis date:
2022-07-05 12:02:11 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/3b67c5fa-6276-4e33-9207-98803aef25b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.28157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23881/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/62c43070783441cda108ae3f/reports/8ee2f04f-dc9f-41cc-b390-d59a31050ef3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23a30d4f-08ee-4600-8ac5-c250e926eea4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024815
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/157650a417bac6874b180b9e1603ce39347940c605ec3229d99771992c394ea5/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 09:15:23 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cv3fbjaxxldiosyybopbma6ohe2hsqggaxwdekozs5yzslbzj2sq._file
Verdict:
malicious
Similar samples:
1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
RedLineStealer
986b1e107fdcf5ba3eec492626b08ea3d4e2091931d10b196a11c790a6f43d0c
RedLineStealer
a11ac8d263cad1c1bf6b40bd22c71403027d9b7a7cd825055be91ba5e4bc9594
RedLineStealer
a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e
RedLineStealer
ab13f05aec11044e1c4553a42b85ebc1bcc0aed156edf0e940a8a18e03470cef
RedLineStealer
f62cebe556bf3cdac1deae1af87712ad928f25e95b6630973511903fcf889c37
RedLineStealer
+ 4'888 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220705-psxkvshcak/
Unpacked files
SH256 hash:
a7c8a4c96c81848b382c2f7a206d4bef9b9d762aabde23a534c93431acb52cce
MD5 hash:
374a0abf9e2a0f4ea928b47c05460c3c
SHA1 hash:
a2234b0e2b6abaa0ff926ac320377c7209dae6de
Link:
https://www.unpac.me/results/cbc56f4b-8737-402a-b744-28c532c36ed7/
SH256 hash:
157650a417bac6874b180b9e1603ce39347940c605ec3229d99771992c394ea5
MD5 hash:
fc593bc2e4935812234f64f652261652
SHA1 hash:
1e2a711c4e594aaf778a4169b2a5cc20fb18f832
Link:
https://www.unpac.me/results/cbc56f4b-8737-402a-b744-28c532c36ed7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/157650a417ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/157650a417bac6874b180b9e1603ce39347940c605ec3229d99771992c394ea5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 157650a417bac6874b180b9e1603ce39347940c605ec3229d99771992c394ea5

(this sample)

  
X
https://twitter.com/samczsun/status/1544186151585533952
  
Delivery method
Distributed via web download

Comments