MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 547e2bd845ba9e62e711c1a787225bb6b55c8d13d446dca7ee1cc3b2d61f0d8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 547e2bd845ba9e62e711c1a787225bb6b55c8d13d446dca7ee1cc3b2d61f0d8c
SHA3-384 hash: 76963aeb2dbe32d816f4ee15f10a7e726f4cb17f37f88a99942b377515267c8a4c06b630de38127dd459fcbd62773e28
SHA1 hash: 0ce5fbd52099114a27fc99707bea5953c360aceb
MD5 hash: c0a9cb53b94442067722dcb47abe376f
humanhash: ten-table-north-snake
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'022'552 bytes
First seen:2022-09-07 11:37:35 UTC
Last seen:2022-09-08 12:14:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep 98304:NnwjHmUicA6UzitvE2qYYktUT3Z2yTG8L7FG7RwgnMPS:N7PWBMPFYUT3oaFL7omgMK
Threatray 4'207 similar samples on MalwareBazaar
TLSH T13136022262D47195D3D288378527FEF071FEDE2A8B41A8B765D57ECB24335F0A222943
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 04a0fe7c9ccc8ece (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎
Issuer:☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎☎
Algorithm:sha1WithRSAEncryption
Valid from:2022-09-06T11:02:11Z
Valid to:2032-09-07T11:02:11Z
Serial number: 155de4c675120fbc49766d3d8fdd67d4
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8efbe20233e0d44c07073da114c2badcd4fd18c7b922c6ebef1f944a93429499
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc523958404_646010605?hash=4TtlNmzKz6HRFrrJtnfKGwwyCMMVxY9WQCdMm1fziqT&dl=GUZDGOJVHA2DANA:1662548131:eZZmF7tWNUukGIXDrOqIYqXrb2z7sttdxBh4ggdIE7g&api=1&no_preview=1#redcl

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.110.62.196:26277 https://threatfox.abuse.ch/ioc/848468/

Intelligence

File Origin
# of uploads :
7
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-07 11:38:43 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a7512eab-b774-4d08-b697-c8b3f67a59db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308471/
Detection(s):
SecuriteInfo.com.Trojan.Win32.VMProtect.26995.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the system32 subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/631882a5d94ccae410829e4d/reports/f89c67bd-b781-4057-be1f-ef0f3c687e21/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/865ef8ed-6deb-4a14-8375-0761762ab681
Result
Threat name:
AsyncRAT, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066324
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AsyncRAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/547e2bd845ba9e62e711c1a787225bb6b55c8d13d446dca7ee1cc3b2d61f0d8c/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 11:38:14 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kr7cxwcfxkpgfzyrygtyois3w22vzdit2rdnzj7odtb3fvq7bwga._file
Verdict:
malicious
Similar samples:
0af8d47a09b1f5ea9544e89eb83e8a572b8a78fcb28db74ee523da4b1797cd3e
RedLineStealer
19a09526a8fb21c9f6d9f17c0c00c6d26f3f5026797c1ae9ba96535d7df67941
RedLineStealer
1ad5a92569021798249b4f04bd383aa1440a5352baab03060397a9fbcfa9ba6c
RedLineStealer
24ae0691d84b4cf88375147998be588fb378bf50c03487ae65e2c25139baea81
RedLineStealer
7fb55c7160ff90700ea1b7258ff4a71037659ee4152a7877efa111ea609190c3
RedLineStealer
a547b69be049d99ca791aa10851d5f2b369edd54e748ea23e06c6bab3dd006ab
RedLineStealer
c15b6c5b17eaedb2a9bfec349a7c7a394a3ff40440728a4fe52109530f6e89ce
RedLineStealer
d4f72d2182411da7606c634ee11876aafb6230f620c36921288c5de1f8d2f795
RedLineStealer
+ 4'197 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220907-nrp9qahbfj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
0362d343dedaf7d4226b31f4bbc92b5e95547acf57f92e49f8ff1a88aab18956
MD5 hash:
1f2d41b53eff0374aa0e12468c639761
SHA1 hash:
81152d5710aa9041ce86619f744faa3f0b1fc120
Link:
https://www.unpac.me/results/19be9fee-928c-4f50-80fa-e839df3dcaca/
SH256 hash:
42321bcb973a3ab0b8b41cfc6906ccfbcaefcede357397e1f84e8cceece13b05
MD5 hash:
d6244e60fee838ca82e396023d7ad915
SHA1 hash:
1a843d62faa3290012d5a36bdc6ef85c75089305
Link:
https://www.unpac.me/results/19be9fee-928c-4f50-80fa-e839df3dcaca/
SH256 hash:
547e2bd845ba9e62e711c1a787225bb6b55c8d13d446dca7ee1cc3b2d61f0d8c
MD5 hash:
c0a9cb53b94442067722dcb47abe376f
SHA1 hash:
0ce5fbd52099114a27fc99707bea5953c360aceb
Link:
https://www.unpac.me/results/19be9fee-928c-4f50-80fa-e839df3dcaca/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/547e2bd845ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/547e2bd845ba9e62e711c1a787225bb6b55c8d13d446dca7ee1cc3b2d61f0d8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/308471/

Comments