MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47162ef38e515cecd61c767bc97b7588a985c65d56f858bd8b85789bbdd66d80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47162ef38e515cecd61c767bc97b7588a985c65d56f858bd8b85789bbdd66d80
SHA3-384 hash: 3bea4a1dd691f63ae79efd20cbe3aafa42209f23dbfb6d338d019edc62b4d6744b08d8106a0ab68a5c6595b24fe8cedc
SHA1 hash: 02ce19541fef9b322d65903b6ce2920223dc7f53
MD5 hash: b8c874e9b01c62ac0895f37c7a4c519a
humanhash: twenty-mexico-yankee-johnny
File name:SecuriteInfo.com.Variant.Midie.78785.27527.519
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:364'544 bytes
First seen:2021-01-29 19:20:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92e07aefcbcc18379e9081a59e611806 (1 x RedLineStealer)
ssdeep 6144:B432TwiYFAG+l3ZuWLZQ4JLQdD9TQncVqXaBEMUY+biv5:B43mwi53l8iZ7xQrLqX1Ywiv
Threatray 233 similar samples on MalwareBazaar
TLSH 5474D011B6D0C032D1A268B54E26C7B15E7B74B52A2A594FBBD80E7D4F243C1FB1A31B
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Midie.78785.27527.519
Verdict:
Malicious activity
Analysis date:
2021-01-29 19:23:22 UTC
Tags:
trojan rat redline phishing
Link:
https://app.any.run/tasks/028c4cda-c262-43bf-80fd-1d120e691041

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114853/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Stealing user critical data
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594339
Signature
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/47162ef38e515cecd61c767bc97b7588a985c65d56f858bd8b85789bbdd66d80/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 10:27:51 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4lc544okfoozvq4oz54s63vrcuylrs5k34frpmlqv4jxpownwaa._file
Verdict:
malicious
Similar samples:
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
RedLineStealer
31239f4455170cbb223b36936011b6573c3a5a86ee32b55f0bba48d95f3c7f6d
RedLineStealer
35b387e25dfb13a3b425438ab49168fd72d4c9c264d6a121a43f1e7387cdadae
RedLineStealer
53694d09899c9de1600743b37ab45e9dc4e3eaf329dc410e87a3b7318d943012
RedLineStealer
5e05d90bcdb3ed152fbc447a2f30538affdb2e3c3f60fe4a548837123a423f45
RedLineStealer
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb
RedLineStealer
9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
RedLineStealer
a3948163bc436fde2808c4c76fccc90d515f3d754fc5851f0eb1e8b40a539e2b
RedLineStealer
bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222
RedLineStealer
e956a58b3dfb4b71d0fddad3a02ffd5cc0c3413684b59e2f9f14fd3626250f1d
RedLineStealer
+ 223 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/210129-t1td352n2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
a884dc4e9230f35aca78699d729ddf9b128471cb42f5fdb14b78736ec7c1e803
MD5 hash:
9899afb6c6d440c4b8f6edeeb969f0ed
SHA1 hash:
ab134f341abc91b2fa8ac195cd23a7948fadbbd1
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/2462bc6a-1264-4bf4-874b-9b356c0dd879/
SH256 hash:
2dd2583c49539374143af5846351cb5e70b5284d26dfe1f38eb69fa366ff1b15
MD5 hash:
f8d4373157dd605de55e0c9f0e28beed
SHA1 hash:
a98dcced994e33efc057554e78fff6bf91863aa1
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/2462bc6a-1264-4bf4-874b-9b356c0dd879/
SH256 hash:
47975cc41337ff053250509b844b1b4652c52ac5f9cb178da7b9aef8ebaeb706
MD5 hash:
def4d18eae579f12e35367d3b85d5e48
SHA1 hash:
008ca96ca17127d24569356da454d4861c21d27d
Link:
https://www.unpac.me/results/2462bc6a-1264-4bf4-874b-9b356c0dd879/
SH256 hash:
47162ef38e515cecd61c767bc97b7588a985c65d56f858bd8b85789bbdd66d80
MD5 hash:
b8c874e9b01c62ac0895f37c7a4c519a
SHA1 hash:
02ce19541fef9b322d65903b6ce2920223dc7f53
Link:
https://www.unpac.me/results/2462bc6a-1264-4bf4-874b-9b356c0dd879/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47162ef38e515cecd61c767bc97b7588a985c65d56f858bd8b85789bbdd66d80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 47162ef38e515cecd61c767bc97b7588a985c65d56f858bd8b85789bbdd66d80

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/983276/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114853/

Comments