MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 180dfbda7c9865f540b48cc53bceb1877650a402cc9bb540e55be3dad3ddf2c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 180dfbda7c9865f540b48cc53bceb1877650a402cc9bb540e55be3dad3ddf2c7
SHA3-384 hash: 6efc4203a4deb5e907eaabcaaabe8211f1a8254368efc3e82153dfa29f7c2fc7feeb4561b53efd6d6f0db8dd0abb24e0
SHA1 hash: 65c1020f040f641c0215193642135ee85bbe6abd
MD5 hash: e7f3383e3290e1d6c9ee402439d5f5ea
humanhash: equal-low-carpet-romeo
File name:e7f3383e3290e1d6c9ee402439d5f5ea.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:919'232 bytes
First seen:2022-04-12 12:45:47 UTC
Last seen:2022-04-12 14:00:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e740cde8bb25148800b09be3bc64aa (1 x RedLineStealer)
ssdeep 24576:B0EruiT2M+zaoHC3cTUP6E6uGDpIApl6rDd:tT2MGNHC3cTY6uGX/A
Threatray 1'497 similar samples on MalwareBazaar
TLSH T1B415332D622D426FCEED327058C2F9A415E1DB7AD6DBC36B70D031BE18B2329314B596
File icon (PE):PE icon
dhash icon 00f8f8eceef46080 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
f4031df5e0df4785513fd9fc9843e0aba4623e61b58cd163354ea64f9133b388
Verdict:
Malicious activity
Analysis date:
2022-04-11 16:00:44 UTC
Tags:
evasion trojan socelars stealer loader opendir rat redline vidar
Link:
https://app.any.run/tasks/4e37d603-0750-4c8c-a219-7dd069bb6cb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263090/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39479155.2892.31941.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62557496ffe27d5119b58dc2/reports/a0535546-a83b-43dd-9cbb-79a381a5fe45/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de51ddf1-e40d-4638-96a2-7687f2232454
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975455
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/180dfbda7c9865f540b48cc53bceb1877650a402cc9bb540e55be3dad3ddf2c7/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 15:30:01 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f
RedLineStealer
61803de50535a38519fcfacaba6438717e7ac6e97a10348bf5c7d3a2ddc02e1d
RedLineStealer
7d6cfc5cfb6243152ee28b41a00650c3c95cc3615a5407c6ec094632926b99e2
RedLineStealer
82f2580bd4f645cd640020730404c2e0be6f75ada5f912b8abcdc5a1d78c8e5e
RedLineStealer
85ba700122e35a9457bc1d0fa4ae49123c99efe4906e764b26f83e6f15ff3dcf
RedLineStealer
aa0a18dad402f0cfbd776899ece4ec642f451f8ad0ae5a5faa0682bf1ca21930
RedLineStealer
e20da9ec0ddcfa71740b795beb5466204bbb1c2f82dcec35a5013fbfecbe49d5
RedLineStealer
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
RedLineStealer
+ 1'487 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:redline botnet:crypt1 discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220412-pzl3psefb5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Quasar Payload
Quasar RAT
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.62:4782
Unpacked files
SH256 hash:
1da8a4e387d7b155a96c231eeb656c91b607e7e0e34b6eefcbc37eed620ec9c5
MD5 hash:
5c2a78bcdbf1b651cbcdbeae91a1f59b
SHA1 hash:
4db4f4b9c4e427d04d6d300460bfa2fac531b600
Link:
https://www.unpac.me/results/c16dfae1-c192-4c90-91f7-debcf9253a25/
SH256 hash:
180dfbda7c9865f540b48cc53bceb1877650a402cc9bb540e55be3dad3ddf2c7
MD5 hash:
e7f3383e3290e1d6c9ee402439d5f5ea
SHA1 hash:
65c1020f040f641c0215193642135ee85bbe6abd
Link:
https://www.unpac.me/results/c16dfae1-c192-4c90-91f7-debcf9253a25/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/180dfbda7c98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/180dfbda7c9865f540b48cc53bceb1877650a402cc9bb540e55be3dad3ddf2c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 180dfbda7c9865f540b48cc53bceb1877650a402cc9bb540e55be3dad3ddf2c7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1829213/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/263090/

Comments