MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a7c46ca6fd9550031e1d820aec076d1df75d19113621ac2bb1e988a8c9e4ae0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	1a7c46ca6fd9550031e1d820aec076d1df75d19113621ac2bb1e988a8c9e4ae0
SHA3-384 hash:	46811fb42c0fe99eaeb46f2d7fbb59cac3e34324e8d9bee21f8ecf209c5bae8317e03dc7c994c243a77c8f594ea14cae
SHA1 hash:	c732fe06ca8f63bc0c3e11fa8c7cf3d9458c94fd
MD5 hash:	1c489eabeac57e81cff31dc500a01dcc
humanhash:	arkansas-triple-fifteen-avocado
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	355'840 bytes
First seen:	2022-11-07 15:14:21 UTC
Last seen:	2022-11-07 17:13:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a07bb4b81e6c6d0f72670722ee7e56 (20 x RedLineStealer)
ssdeep	6144:O6+foX80j27IUoDG/9wATm45BHYUAOhJYJfPfc+freo5JSjZY85+:O6+foM0j27IUoDUzknL5zF
Threatray	1'114 similar samples on MalwareBazaar
TLSH	T17C74CF40B5D3DA72D9B2543A09E0DB75897DB8200F7059FF67E4076B4E202C3ADB2A79
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-07 15:17:34 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5705200b-1785-440c-981b-4984fae0fdb8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330016/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.11579.8683.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/636920f8364a5d892e84a1b9/reports/12db8517-1a38-4f81-9ce3-6a65fbf3c4a1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/85c8c851-fc9a-4610-878f-18a4f29830f5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1107374

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a7c46ca6fd9550031e1d820aec076d1df75d19113621ac2bb1e988a8c9e4ae0/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-07 15:15:08 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dj6enstp3fkqampb3aqk5qdw2hpxlumrcnrbvqv3d2mivde6jlqa._file

Verdict:

malicious

RedLineStealer

5842ef62948774596013f0e7a35663b4e583ade216741049ea837e3dcc9acefb

RedLineStealer

6571cc7c366fd3a45158d53d010db01de651ca8cff9672b8219adff3e15481fd

RedLineStealer

cc285423b687fee9ac81af7fe2e1c44edb440f2d141bd06f587562bbecdcf4c8

RedLineStealer

db5b71ac07c6b6ae66f229536c8dd7493b804df8242ea8a546f7c4330e1f24cd

RedLineStealer

e52694f6490e292bca024e6f2668a89e143897510636b6891de8d8c1130a6519

RedLineStealer

+ 1'104 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:711 infostealer spyware

Link:

https://tria.ge/reports/221107-smwcdsfedm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.110.203.100:32796

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a0d0b3fa-14ab-4a28-b1d9-c40d0c995733

Unpacked files

SH256 hash:

6bb44e4339951fcfb2013e7d6e85afe72988e8d4b0229cc810c20753bbae63cb

MD5 hash:

886bff907b9e1fd1cbffdaed75db55b2

SHA1 hash:

d08b7c62f8d610b3826433700101f2dfdb9fb39b

Detections:

redline

Link:

https://www.unpac.me/results/db93687f-6958-4a3d-b09c-d2fea1078177/

Parent samples :

cc285423b687fee9ac81af7fe2e1c44edb440f2d141bd06f587562bbecdcf4c8
1a7c46ca6fd9550031e1d820aec076d1df75d19113621ac2bb1e988a8c9e4ae0
e0a8b7625ae37474dec9abd9ca3bcce1579ad5298d73e3bf6216fe6c301a21f7
0cb1bd5e42c2c36180da286a6fea506828bca2b52ce90a33efa79b2a1bbc087c
9a635290353b8d1a64f58c5d0a84a474aca0bed55f6924aa8ef639138f2f3501
40bf6081aba422e4a8e6f7c28e37862db5a55a9b2f7fc91b0dfc338a8c118b61
47e4f1702bdb782cf54bc63ddfd4d3ab8c914401ec04753b1ce0467e9af8a0df
3a954a6d5b0dab1a3cd72abc9922ac621faa9ffeec1cbfd30387f9b58ff0524c
487f692d4542dbf36326edf1a9dc95aa79766976ffa216ada919608607115f07
0aea55e208c4bcca4ce15ed0cbf9da28dd9a673c81b2a6498120cebb1d91df00
02037c6c2f167c6d8a644eed10a3230a030794d44f199b123118991d847320cd
cc03302457a0f8306587c3cc985e34de489419c910f1d91b008f4e435cc19a25
c19eece37b3f121921955fa412ad6b48877f8267b5736254f8b08a7182c80fb7
c6540305bd436857be3a8d27add6cc8da08d32c156846f30369b9baf012bb13c
c9192a00936786e367fe1ffc605eafc645c4bc3dcc66987772a8def633235468
bc7381a7248b4a546acf4944e549080fad811acbf1b22a07a3469ea0559faa62
d6841d2cc49083cd7cb8f193d2472bcfa3047a9604862e488add1a62ccae3b3b
8a95bd48d2584a749fda8738ec81175f9599b73c6ab873e92177287450df8fd9
391a279a73e83e2bb74cc101dfac06934a7557e45b0bdcf6e936638933b7642b
bd862ccdb4efe187742367ac2aa0862d96747a1f066ff8d2fb356712f14e835f
3e51fae8b429b5bb30d61a5efb5357020eb378f5b83e1e913349d737ebe0bd10
1de1be30fe540a3ec2668c30563484622da5359180d635842e30013d036b7f21
7364c1a162c1aba59448972e7a1586925cc2287dd02476acfe909bad9c2e9798
82ed847ff151260a02f9c9ab127186e7778bd6a92e7c29f7064f4eb93544cb5a
eeffec5de4713c770dbcb8c37102766f46c6e0472d69945cb75bf6ce4828e695
48709413d8861b47cf9e5b2ad93fdade7a287c7ad09b406a133457b1ce4b4049
23a9ebd6ecd7cfe183feae9a59770946eee29c879c5e04f7f8124c69122851d2
41b50ca266a53fcb5dcb9823614f6d0089f1234997cfee67b2d2283905a79056
89a4671154cbedeef33f82bfca8024cb818c413e136eb288a25cc026a6c763db
a07ecabb9993e542834dab5498e7ab394dce0c9bcc02b186aebca710e8969db0
81173b89b99d19283f9ebe3ee7e2aa13070618cbb1d9d7c96a2bbf8be985dc7a
640c48fb023a7626bf4f85e38ff1ef0101a56a8935c5d2b3281cf7bc62dfcf1f
cb662283c4a93c470eb59b7176afc2ac7711fde00e9b8f90d0637e15a39bb05c
a97dd2d4430e1f045564b591154d3537eb3d07def924533c62d8fdc8577cd89c
e0b552b692edd10e64e50af22ca59ca13166e42f31011c38a491505a42fdc901
4eba84651f9277848e81305df8d9cf6ed26f2a46d872a553f71615fcab13d17e
10b4fab1fd21031ab0c60827c213d57e36aaf3c24252dfa9fcc1c68134ab9637
238154fbeb8c1e9044badca46b9b98c1daf21bbea74b49b5a9939247c437bbec
f248e10c0133de41a9a57fe904c065124b884f664d1ddf5d62c6284301a850b4
a1897916acce8b810ae11ed907d77d5bf7245823ac832a1603dad73d7f552ecd
ef5ebed758551ce1266e4f30ca6010e151f6c5e6f1e0748949dd09d0b42716e1
466a20366f2f16813a26bdc6cce70a33d8c14bef069efbe24e0c028c9eb92c10
a4f1cc0fc562132d002fb992a4552dee7e75c26343be8611c9f9bc6b2d68eec6

SH256 hash:

1a7c46ca6fd9550031e1d820aec076d1df75d19113621ac2bb1e988a8c9e4ae0

MD5 hash:

1c489eabeac57e81cff31dc500a01dcc

SHA1 hash:

c732fe06ca8f63bc0c3e11fa8c7cf3d9458c94fd

Link:

https://www.unpac.me/results/db93687f-6958-4a3d-b09c-d2fea1078177/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a7c46ca6fd9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1a7c46ca6fd9550031e1d820aec076d1df75d19113621ac2bb1e988a8c9e4ae0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/330016/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample