MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52f0bae6beea011439748fabb5955d5849b1219ee710f9b4df2b3f2f8214fe17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 3


Intelligence 3 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52f0bae6beea011439748fabb5955d5849b1219ee710f9b4df2b3f2f8214fe17
SHA3-384 hash: a6a759ae69639c98daf02c196b951f43c8e18fef5ff7e6af108f14b52b555592f35605bdd031c969c00465c3a02f6c75
SHA1 hash: 34ce99646bcd90332b199472954165920e9d0e14
MD5 hash: f5cabd7f4e3df9361ef65b8e31f7b091
humanhash: salami-four-yellow-nine
File name:MoonWallet.zip
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:796'012 bytes
First seen:2023-01-16 19:47:25 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: 3{r8N5YN2i+unwk6
ssdeep 24576:0t71NxW7UsYYhfkTKfbPproflPoyQKfik:0t71EUsY4cGVGnQ+N
TLSH T19C05331532A5CA9E31062311A538DD6322271EBB2F59FB36A98F77F018870B7B64177C
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter iamdeadlyz
Tags:95-217-102-105 exe MoonWallet pw 3{r8N5YN2i+unwk6 RedLineStealer zip


Avatar
Iamdeadlyz
From moonwallet.io (fake cryptocurrency wallet)
RedLineStealer C&C: 95.217.102.105:1695

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.217.102.105:1695 https://threatfox.abuse.ch/ioc/1068957/

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:MicrosoftRuntimeComponentsX86.exe
File size:1'784'776 bytes
SHA256 hash: 56733c9f52b57912adfdac911962088e80e720c97aa41a1872f44034115ad7a0
MD5 hash: ca476dff32e2b9a3d100aa67e793e3fe
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/52f0bae6beea011439748fabb5955d5849b1219ee710f9b4df2b3f2f8214fe17/results/dashboard
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/52f0bae6beea011439748fabb5955d5849b1219ee710f9b4df2b3f2f8214fe17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52f0bae6beea011439748fabb5955d5849b1219ee710f9b4df2b3f2f8214fe17/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=klylvzv65iariolur6v3lfk5lbe3cim644iptng7fm7s7aqu7ylq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

8078be3ec6618253cf36dfa240cfc3d5f2d15f13db6d4e4dfde0476651f53446

RedLineStealer

zip 52f0bae6beea011439748fabb5955d5849b1219ee710f9b4df2b3f2f8214fe17

(this sample)

RedLineStealer

Executable exe 56733c9f52b57912adfdac911962088e80e720c97aa41a1872f44034115ad7a0

  
Dropped by
SHA256 8078be3ec6618253cf36dfa240cfc3d5f2d15f13db6d4e4dfde0476651f53446
  
Dropped by
SHA256 49930324087d3d06f73a489f793e3e7bef7f593eaf81f8b2b8e048a8145d3a88
  
Dropped by
SHA256 f5415a200ec9a5b3c414acdb587548f366cb5c1423bd1c698ac0f9d1e6f53dc3
  
Dropping
SHA256 56733c9f52b57912adfdac911962088e80e720c97aa41a1872f44034115ad7a0
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2510075/
  
URLhaus
https://urlhaus.abuse.ch/url/2510102/
  
Dropping
MD5 ca476dff32e2b9a3d100aa67e793e3fe

Comments