MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50cad9928e3a881e74f6b445a17af9ea03412a9f32e9e44ddcb4b49de68524b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments

SHA256 hash:	50cad9928e3a881e74f6b445a17af9ea03412a9f32e9e44ddcb4b49de68524b9
SHA3-384 hash:	e607f5a55f640d54c6b70ef84bb1679adcf5a0ee27926858602e514f82d0f578a0d739430cb4285db280faa9169f6ea0
SHA1 hash:	366285644c77bddd163ba7f746f76ae120c05580
MD5 hash:	d944bc405f14f89c8b91b5e6f9b37ff7
humanhash:	whiskey-robin-maryland-salami
File name:	50cad9928e3a881e74f6b445a17af9ea03412a9f32e9e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	349'696 bytes
First seen:	2022-04-07 20:36:15 UTC
Last seen:	2022-04-07 21:47:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	23aef259b74b761b8d544111b9225b45 (2 x RedLineStealer, 2 x Stop, 1 x DanaBot)
ssdeep	6144:XLoNxI053HEYo3dED8AvIhmxNBKgOT/TPtJkHzTaxo6F+jd4oB:boN753HEYo6NvIhEB3G/TPt+ix7cd4o
Threatray	4'955 similar samples on MalwareBazaar
TLSH	T19674CF10B790D039E4B762F849BA966CB53E7EE19B2455CB72D526EE46346F0EC3030B
File icon (PE):
dhash icon	94dc8eeeaa8ecc8e (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.72:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.72:23196	https://threatfox.abuse.ch/ioc/517362/

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

50cad9928e3a881e74f6b445a17af9ea03412a9f32e9e.exe

Verdict:

Malicious activity

Analysis date:

2022-04-07 20:40:12 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/2791f2b4-997a-4417-a879-7ad02a55a6c8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/261800/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.35714.2940.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13036/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/624f4b70d53a7479dad296e0/reports/dd5aa50f-74a1-4f9e-acc5-bbb59ce876bb/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aa25cf95-ba9a-4473-b837-144f31be6f2c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/972725

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/50cad9928e3a881e74f6b445a17af9ea03412a9f32e9e44ddcb4b49de68524b9/

Threat name:

Win32.Trojan.MintZard

Status:

Malicious

First seen:

2022-04-07 20:37:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 42 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kdfnteuohkeb45hwwrc2c6xz5ibucku7glu6ito4ws2j3zufes4q._file

Verdict:

malicious

RedLineStealer

7e0cb6db3bee27907dad2a3ff865f696e3676d61920ffcd66277ba4e3611f3d0

RedLineStealer

7f6e80385617d3629c4f408981996b6496478c7eb94ac3f17105e1eab5f5628b

RedLineStealer

9cb30c1b919995bef4fa43fdb6b1172eba2fc096c1655f5040f7ae819bbef78b

RedLineStealer

ca023814aa064ac9cd4015cf89eec32339828447bb34d2f45c44ef9d064603ff

RedLineStealer

e1b05386a01969cedfe00a3ec9379dd2b25ce3cc535825c9efe8953701f2e0eb

RedLineStealer

+ 4'945 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220407-zd5b9scaf5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

7af58d6b5e076d251b98aea69874e4234484f1a4f814d8b43f04c84d54024a13

MD5 hash:

66723a4106cd5b425d7176f88ae79609

SHA1 hash:

e0d632177a23f2223588a5b50bd65d8ddca72be5

Link:

https://www.unpac.me/results/a422e662-1077-49e2-816d-d3906f223c5c/

SH256 hash:

2565d7ea4ccdc18bfb3ccc2a63dc757bdfdcb94da35a62425a3c83238b5f197d

MD5 hash:

fb74b71b36b128114dc4c17116bf97f8

SHA1 hash:

a356d0440bcf1d81a9c09748196716facf2e381e

Link:

https://www.unpac.me/results/a422e662-1077-49e2-816d-d3906f223c5c/

SH256 hash:

e115c30029aac09692138468421ac55be9033e55d0773889e700ba68aa795f8c

MD5 hash:

4d5141a40374f593f81d074725c1b180

SHA1 hash:

7129da2db756d0bf29ae7cd99f4119c31c5f920f

Link:

https://www.unpac.me/results/a422e662-1077-49e2-816d-d3906f223c5c/

SH256 hash:

50cad9928e3a881e74f6b445a17af9ea03412a9f32e9e44ddcb4b49de68524b9

MD5 hash:

d944bc405f14f89c8b91b5e6f9b37ff7

SHA1 hash:

366285644c77bddd163ba7f746f76ae120c05580

Link:

https://www.unpac.me/results/a422e662-1077-49e2-816d-d3906f223c5c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/50cad9928e3a881e74f6b445a17af9ea03412a9f32e9e44ddcb4b49de68524b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/261800/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample