MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50f4c1d10f7d9db371f096754adb5a78750ff213bed7a70c7e45f1e820ed2787. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments 1

SHA256 hash:	50f4c1d10f7d9db371f096754adb5a78750ff213bed7a70c7e45f1e820ed2787
SHA3-384 hash:	f4977a1831e3996e8bc1799238def871f69f5947b3b295012b6b9c9d6150af9fc1dfab26971ebe8900bcb827d8fe26e1
SHA1 hash:	f800b24545fa31b803b412d5292e1853796bb301
MD5 hash:	c4dafa91b5150847035842bb259f3c24
humanhash:	uranus-speaker-happy-freddie
File name:	c4dafa91b5150847035842bb259f3c24
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	416'256 bytes
First seen:	2022-05-22 09:31:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0588ee478c2f970a1d27d379ec7f0453 (7 x RedLineStealer)
ssdeep	6144:4wH+w1P4363S9f4tojgsDo6WZeVRvfOhoYKISl8abizW8OhdScd/Q1H:4kpPgkSZgsDoRZ6X6vS/+Wf4
Threatray	3'367 similar samples on MalwareBazaar
TLSH	T1D794BF10BA50D035F1B316F459B982A8B92E7EE1AB2450DB63D53BEED6346D0EC3071B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9824e7d0c6e72158 (4 x RedLineStealer, 3 x Smoke Loader, 2 x Stop)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

c4dafa91b5150847035842bb259f3c24

Verdict:

Malicious activity

Analysis date:

2022-05-22 09:31:58 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/f541864a-41a3-4912-a13f-dad122b14169

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/273396/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19514/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed smokeloader trickbot

Link:

https://www.filescan.io/uploads/628a03206eb3ff32631e6551/reports/28c38b04-fbbc-4e6d-ae0f-d2dd15f63f1f/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d5adbfef-83c5-49e9-9ce9-3ad740331c9a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/999286

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/50f4c1d10f7d9db371f096754adb5a78750ff213bed7a70c7e45f1e820ed2787/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-05-22 09:32:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kd2mduippwo3g4pqsz2uvw22pb2q74qtx3l2odd6ixy6qihne6dq._file

Verdict:

malicious

RedLineStealer

884bec8d35a2a1f84dbb50d62b9a1e0abdd0ef8f3b09521508fae751e04e2db1

RedLineStealer

967e98b250c72d4222068a1dcef714211a3c3bf5562c5befd98b43e443f107eb

RedLineStealer

ce31a4699587ca5d80d259cdb4318cd5eafb91a3fa4b79b37d745c35b0a15f48

RedLineStealer

d0dfea9c873b70d7bfada6a3590a83e70fde63d6a04d24de514a70c1a6e3d4c3

RedLineStealer

e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e

RedLineStealer

+ 3'357 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:testtes discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220522-lhlttsheg4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

iclarinyerac.xyz:81
manellylarii.xyz:81

Unpacked files

SH256 hash:

b67b09dd39eb7564d4e371ef079e130bf6a4a3b40fe5b07d13887ed86ebe9790

MD5 hash:

c4695b9e7e84cad2b088d32e3d56c846

SHA1 hash:

e830742485a99bb1835c2976c5131a950367296a

Link:

https://www.unpac.me/results/14412b4a-d6b2-4634-b914-9316654296ed/

SH256 hash:

70e485b6550d675818dc0d0831ad81e60a3ddc54649fb65f383ce4593f8721f7

MD5 hash:

b0f41845f56327c0d8c212c87b52c28a

SHA1 hash:

9de03bad3ab46c5f2267e01bca9552799a9907a3

Link:

https://www.unpac.me/results/14412b4a-d6b2-4634-b914-9316654296ed/

SH256 hash:

c6fee715ea9e0466f0a877261c8968fc1f3c2e818116612c02fc36b04d74daad

MD5 hash:

22383dd856b6541c834f1234df28103b

SHA1 hash:

0b6cd27f0050dd46b262ca708772013370fc0706

Link:

https://www.unpac.me/results/14412b4a-d6b2-4634-b914-9316654296ed/

SH256 hash:

50f4c1d10f7d9db371f096754adb5a78750ff213bed7a70c7e45f1e820ed2787

MD5 hash:

c4dafa91b5150847035842bb259f3c24

SHA1 hash:

f800b24545fa31b803b412d5292e1853796bb301

Link:

https://www.unpac.me/results/14412b4a-d6b2-4634-b914-9316654296ed/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/50f4c1d10f7d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/50f4c1d10f7d9db371f096754adb5a78750ff213bed7a70c7e45f1e820ed2787

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.