MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10
SHA3-384 hash:	60ef7d2fca0c19837bce176cfb07a3beb673b1d60880fc950727544132a68d1b4a487e572146cf3df41bfa3927e09669
SHA1 hash:	e6c5d7ba7a4abd2f8b020bcbdd1b0cd681e29d9c
MD5 hash:	a768c9fce6b906d8f70d2af34f565ba3
humanhash:	lion-edward-echo-lithium
File name:	C4Loader.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'886'224 bytes
First seen:	2022-08-11 15:33:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	969cf88128aa8ffd14bd915614ac0e71 (1 x RedLineStealer)
ssdeep	98304:NnPQtgKtjssvCdjrD6sCrC4Bu3+HKLIgWTlu5jLOsZRRDbo:YZs5Jk+RLI0VrRHo
TLSH	T1EB3623B312261086E6D9CD3AC237FED535F243678BC2E9FD88CB6AE165121E4A513743
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00b8a869676bb840 (2 x RedLineStealer, 1 x DCRat)
Reporter	tech_skeech
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

348

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

C4Loader.exe

Verdict:

Malicious activity

Analysis date:

2022-08-11 15:32:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/31acf39c-8e0d-4b2c-ac2c-d034073dcb81

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/298025/

Detection(s):

Win.Trojan.Fragtor-9955199-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Sending a custom TCP request

Launching a process

Сreating synchronization primitives

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

DNS request

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28695/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/62f5216e080024921b6a39fa/reports/f9423468-de44-412e-8fc1-470b4c8f7e05/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a398bc1f-f7e8-45d1-9089-b6461762a917

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1050203

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Potential dropper URLs found in powershell memory

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Very long command line found

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-08-11 05:37:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 40 (57.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ki6hhaa4walvzapva4aq22f2s76gistp7bhf43akphk6ycybfmia._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery evasion exploit infostealer spyware stealer

Link:

https://tria.ge/reports/220811-sztz4aghgl/

Behaviour

Creates scheduled task(s)

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Blocklisted process makes network request

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Possible privilege escalation attempt

Stops running service(s)

Modifies security service

RedLine

RedLine payload

Malware Config

C2 Extraction:

107.182.129.73:21733

Unpacked files

SH256 hash:

f8878ed75a837e2c24184b22244329cc5152e3af964c0009a542ee7812484f0c

MD5 hash:

44d069219d10216041a96bf9c04d36a5

SHA1 hash:

4e3ff9da40efcca4c6c85686996414d0c25c3cd1

Link:

https://www.unpac.me/results/cc4a3f1f-ad83-4af5-8771-66f47ccc6811/

SH256 hash:

2af2b9d4ffae14aa31a1bd688df8cf6a9bd319400fc501a609bace8ed7f72046

MD5 hash:

4b480d533287d167c2ad794cec1b41b3

SHA1 hash:

33f2c0a50d14ed5d6e171036ee577e88170b9da2

Link:

https://www.unpac.me/results/cc4a3f1f-ad83-4af5-8771-66f47ccc6811/

SH256 hash:

f325ce0f6732a14718f687ea153ea44ce2c66a29eb3ba441b35c4d20bc59248b

MD5 hash:

06e54960cf5273a98d02c8c308c58ad4

SHA1 hash:

b088530175ac8afdd39a9d6bdcda4130c2829b8d

Link:

https://www.unpac.me/results/cc4a3f1f-ad83-4af5-8771-66f47ccc6811/

SH256 hash:

15ebd24df59f20fc7fe2e1c3f4d309f70771f1d246778d6e657e6ecc3c68473b

MD5 hash:

92902b79d0df799f5639a7207c965648

SHA1 hash:

3f3228d587ae810da015816e6333f6d2787f08a7

Link:

https://www.unpac.me/results/cc4a3f1f-ad83-4af5-8771-66f47ccc6811/

SH256 hash:

523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10

MD5 hash:

a768c9fce6b906d8f70d2af34f565ba3

SHA1 hash:

e6c5d7ba7a4abd2f8b020bcbdd1b0cd681e29d9c

Link:

https://www.unpac.me/results/cc4a3f1f-ad83-4af5-8771-66f47ccc6811/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/523c73801cb0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/298025/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample