MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52ac942f2f2ddba5bec88aeb45e44f30574d8b8a7a8dff9f7501c417e816a373. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments 1

SHA256 hash:	52ac942f2f2ddba5bec88aeb45e44f30574d8b8a7a8dff9f7501c417e816a373
SHA3-384 hash:	e72efe0a020a72ed07bcbfb130bc868d26de1f66edf92266cd245a90ebbc2cafcfea9283463f01fa7f1c314ffe68b8e3
SHA1 hash:	1b3458bb985e80c289f497c8c20eb47ec5933ba6
MD5 hash:	71de3de01084f352621294e1c16512d5
humanhash:	echo-sixteen-mirror-michigan
File name:	71de3de01084f352621294e1c16512d5
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	433'664 bytes
First seen:	2022-07-12 21:35:03 UTC
Last seen:	2022-07-23 03:49:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ff9f7961c437f7dbbb5aec440ebbd096 (3 x RedLineStealer)
ssdeep	6144:pWLETS8Q5kakkTq10tC+d64tTb3Xn4TtqcKPYfcDM+ezSJDexvURO8hA6nZNRLy:Y9Tk2qOA+64tTb3wVKGcwgDedUhxZNB
Threatray	7'080 similar samples on MalwareBazaar
TLSH	T11894BF10B750D035F5F712F84AB68368B92E7EE1AB2450CB62D86AEE5B346D0EC31357
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	2dac137831939b91 (9 x Smoke Loader, 6 x Amadey, 3 x CoinMiner)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

358

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

71de3de01084f352621294e1c16512d5

Verdict:

Malicious activity

Analysis date:

2022-07-12 21:41:16 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/0e19dcfd-6d75-4baf-af30-b6cffd91a87e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/286686/

Detection(s):

Win.Packed.Crypterx-9954995-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

babar greyware packed virut

Link:

https://www.filescan.io/uploads/62cde9450b00dfa734ea6ed7/reports/6d0c296b-7893-4667-a0f3-3bd4dbc8d1c1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a5e7908d-dc8d-46fd-a6f6-7a90fcb08be1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1029757

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/52ac942f2f2ddba5bec88aeb45e44f30574d8b8a7a8dff9f7501c417e816a373/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-07-12 16:39:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kkwjilzpfxn2lpwirlvulzcpgblu3c4kpkg77h3vahcbp2awunzq._file

Verdict:

malicious

RedLineStealer

5a398402a9490b25fa2d70a72aaf7a2ec72c933eac8c55a17e1140b40ca0e045

RedLineStealer

5d1e2200925af86836f79400e3cb449428ee40d9a053d01d4d88edccfcc76c68

RedLineStealer

6a2e0a9a2742cfb51cb52672e232c308a3297f8d11d428922825deb9d87f38ee

RedLineStealer

acc5a182ebfd5ab6e00c437950329fb29b44861f742af438cb6cf255c5ccc1ff

RedLineStealer

d34f1d23b7dab0b50f29b8647720aaac21c3c43cd3deb478e55b2b46a9872334

RedLineStealer

f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023

RedLineStealer

faf83f4e59e042875c7f4b3b0265a7c8edae4f55cb9048fd7fa57996f493a84b

RedLineStealer

+ 7'070 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mrminister discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220712-1fc68shfd9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.233.48.58:43014

Unpacked files

SH256 hash:

1a49bdf7cc78ee7edafd9feabf15305306737a09e65bed8b7356f6c2dcab5c36

MD5 hash:

a4eae7dcdfb66268a66c124dc0056e3a

SHA1 hash:

c60e8e36bb452b3dc7672ae04209b75f66c32257

Link:

https://www.unpac.me/results/f55bdb0c-14f8-455b-8267-5248b8b05292/

SH256 hash:

85d8698bf35c3f9b6395aaf7aae87abeee7b5e5d889b0445ece300813f78e944

MD5 hash:

f21a8d0a8d146c79483d01e4583cdcdc

SHA1 hash:

95b0ff56aa63bbec7270e644a4c640c123b9f960

Link:

https://www.unpac.me/results/f55bdb0c-14f8-455b-8267-5248b8b05292/

SH256 hash:

847896eff8b7141f0f66e2bf0f3a0bebde6101044b9d5fab1058819bcdc54862

MD5 hash:

19247b8d36f1cd8e70beb6fbfab83c7d

SHA1 hash:

7cb03f7467c2a642dc53047b256a6d7c0bc86f1b

Link:

https://www.unpac.me/results/f55bdb0c-14f8-455b-8267-5248b8b05292/

SH256 hash:

52ac942f2f2ddba5bec88aeb45e44f30574d8b8a7a8dff9f7501c417e816a373

MD5 hash:

71de3de01084f352621294e1c16512d5

SHA1 hash:

1b3458bb985e80c289f497c8c20eb47ec5933ba6

Link:

https://www.unpac.me/results/f55bdb0c-14f8-455b-8267-5248b8b05292/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/52ac942f2f2d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/52ac942f2f2ddba5bec88aeb45e44f30574d8b8a7a8dff9f7501c417e816a373

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.