MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f79324450ecd1494519a2ba2942903c78ade8d9021b2cae61dc17258cd61724. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	1f79324450ecd1494519a2ba2942903c78ade8d9021b2cae61dc17258cd61724
SHA3-384 hash:	b09179a8b19bb75893c6d30b4f68d0878395179be3c348fb757168d2564d32f292b783c102b9bb4235d6e24a56b7781d
SHA1 hash:	f97e41a30860305d1694770fba32ffc87868739c
MD5 hash:	cfc158d4afaf95097dd1781089e476ce
humanhash:	don-march-magazine-undress
File name:	cfc158d4afaf95097dd1781089e476ce.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	348'160 bytes
First seen:	2022-07-23 12:05:23 UTC
Last seen:	2022-07-23 12:35:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	69351a49496b84d5bbf84d071845ce10 (3 x RedLineStealer, 2 x RecordBreaker, 1 x TeamBot)
ssdeep	6144:/QSMTkz9z/YLNAT+POIwS9lhhLSaLOUV47ktdDXlZClGU2j1iU9CigafwVf:/dgkt/eNAT+GIwS9lT28ziUF3AGU2j9n
Threatray	6'790 similar samples on MalwareBazaar
TLSH	T11F74E00976ACCCB1E4A55E315870EBA12737BC669A30550BF3A4372F2EB33D0567532A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea68c8cdc (1 x RedLineStealer, 1 x Smoke Loader, 1 x CoinMiner)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
46.173.219.60:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
46.173.219.60:80	https://threatfox.abuse.ch/ioc/839188/

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293657/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.440.18575.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/27179/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed pandora

Link:

https://www.filescan.io/uploads/62dbe4b40e298a94f3f31463/reports/658b5f9e-b66d-4e76-aaf0-86a1dd78caf1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a776408c-7883-4637-bcee-8f52cf37b8c3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1039722

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1f79324450ecd1494519a2ba2942903c78ade8d9021b2cae61dc17258cd61724/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-07-23 12:06:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d54tercq5tiusrizuk5csquqhr4k32gzainszltb3qlsldgwc4sa._file

Verdict:

malicious

RedLineStealer

323391ccbde9dc85cb92e70f7a6db00f0b051fef096308afab1efa163eaad5b1

RedLineStealer

33b95b050eeebdf0dbce9a16c8bf7d99a4a6fbe66c17e5c725dbb69d95fcf4c4

RedLineStealer

35c6424237094789bfb86f3853b68e11f70c9c5de53e4a39abdf581c562adcba

RedLineStealer

4c50e642bfc466aea428e0f357cb4de912ff2464df20b4247b424d809e70ab5e

RedLineStealer

5edf1f1114d81f5f8a1a2ddefb49df29ff83650d2a3ae6d819e15a028987bbad

RedLineStealer

77385b4fa267d7f10571edeba9ec74a65648b3ded54516ef96194171e8379912

RedLineStealer

7ef7259f3ba8cf8c6444f82a4092066d624c5de4f9c72cd3a0031dd4364b97fa

RedLineStealer

e4f381f234287ad7a4bcf63e24303a64eb681e079388adf4a9df8eee8ad9bfad

RedLineStealer

e6389e05edf0eafd2330af2d40b0fc220babc1f4a0e827b46d71d5aeb3acc1f3

RedLineStealer

+ 6'780 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:af discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220723-n9qm7sedfq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

trustamsty.com:80

Unpacked files

SH256 hash:

299afe8a01fa5270eb887b0e4020c8f96102de4c87b0c46ff2bfc905c849622a

MD5 hash:

840b80447a1c6e02a1469ff39a00a298

SHA1 hash:

c203641fa92eff1c70d025202200ec5bfa39fffb

Link:

https://www.unpac.me/results/16c7f949-365a-44ce-997d-014b70adf445/

SH256 hash:

281bf89c4616e637fdeceaafa9da517e1039a05a9f1ba842b5aaacf90fd24696

MD5 hash:

837912194ebc449162472ba0baa006c0

SHA1 hash:

a1efd282f3fd8b4a6b4ced2ffc97da8ce2afc18d

Link:

https://www.unpac.me/results/16c7f949-365a-44ce-997d-014b70adf445/

SH256 hash:

4ec9361af4403303ddbe0f2a53ba606fb17ea04dd56d17c44a42c6f885dcf93a

MD5 hash:

01c204e04df497dfd05de321935ba7e4

SHA1 hash:

374e938f3329bc1402aed42fb1f8f78e0bd47e83

Link:

https://www.unpac.me/results/16c7f949-365a-44ce-997d-014b70adf445/

SH256 hash:

1f79324450ecd1494519a2ba2942903c78ade8d9021b2cae61dc17258cd61724

MD5 hash:

cfc158d4afaf95097dd1781089e476ce

SHA1 hash:

f97e41a30860305d1694770fba32ffc87868739c

Link:

https://www.unpac.me/results/16c7f949-365a-44ce-997d-014b70adf445/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1f79324450ec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1f79324450ecd1494519a2ba2942903c78ade8d9021b2cae61dc17258cd61724

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.