MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f5eacd77526de995a9caaaa7a963d18c5f7732b22fad8a0151ac8c25c9baad8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f5eacd77526de995a9caaaa7a963d18c5f7732b22fad8a0151ac8c25c9baad8
SHA3-384 hash: 4bfce30dd22c9c27ffdf7c328e87ec6dd43c00254631963169c6d95c3db8310dc59030e92e8b02433c4bf49c4a628cd0
SHA1 hash: 14ac87815ea815f8997f0a4c751cc352822a7975
MD5 hash: cd217b0e6e936f9ae9492ec1a089cdcf
humanhash: jupiter-avocado-skylark-pizza
File name:cd217b0e6e936f9ae9492ec1a089cdcf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:409'600 bytes
First seen:2021-11-28 20:36:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57fcd4b73bdcb72ae43e8e838f842fae (4 x RedLineStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:PUXX6NUgpY0KRXtFxLdfwW5jh4nIex9U4zvDNxdDUHUsIKzqKdu:sXKNB61JLCW5KnIQ9U4rRxdDUH1zqEu
Threatray 4'034 similar samples on MalwareBazaar
TLSH T10094C014A7A0C039F5B712F89A7593B5EB3E7DB16778A0CB52C526EA46386D0EC31307
File icon (PE):PE icon
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
147.124.208.247:34932

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.124.208.247:34932 https://threatfox.abuse.ch/ioc/255925/

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd217b0e6e936f9ae9492ec1a089cdcf.exe
Verdict:
Malicious activity
Analysis date:
2021-11-28 20:38:21 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c2d7121f-b100-4564-981c-0557498a8327

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed
Link:
https://www.filescan.io/uploads/61a3e870c4c531414820a83a/reports/1d1a180e-79d9-46e8-b082-eaebfb71842c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a3df559-bb04-4f76-a52c-8495d783c4f3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897517
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f5eacd77526de995a9caaaa7a963d18c5f7732b22fad8a0151ac8c25c9baad8/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 18:58:14 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
35 of 45 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5pkzv3ve3pjswu4vkvhvfr5ddc7o4zlel5nriavdlemexe3vlma._file
Verdict:
malicious
Similar samples:
116d7de7a0b9cb20a6ee1757752c0edf48efc465ab9090babd746bcdab6fe9f2
RedLineStealer
21519d3dacd699427d82ee61a407b95d7f1c23c5f621db689878720fedd0e885
RedLineStealer
22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31
RedLineStealer
26d62525d904a1739ff73041a2dc0522a31225fc0c696e061bde265c98027e9c
RedLineStealer
bfc438d878c502c8dad807bef3f928dfd7238b26960ad0dab26125d2c47ca528
RedLineStealer
ea28683f3070208ae7c412ade3e135bc44c3ced1ced783e8f98f272024084e1b
RedLineStealer
fc7d4ac0a19ec0f8aa9c6bca854520705b9e56d51460ae5e8edb3b4c5573fbae
RedLineStealer
fd5a02d6244c90c495f45709f8da36753df70cc59ddedab6bba9400d34d754a5
RedLineStealer
+ 4'024 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:badman2020 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211128-zd5m2aafam/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
147.124.208.247:34932
Unpacked files
SH256 hash:
d68d6e0a1befe8d4921c35e4ac11787543daedcd3775ddc909f148d58a24277a
MD5 hash:
3181997b78d7ec193ee9850f45eeef19
SHA1 hash:
94d2f58bd4b15a09d9df979c5386330569a22ff7
Link:
https://www.unpac.me/results/805087f4-00d8-4ddd-88f4-02b9b5599077/
SH256 hash:
8b8679c5dadc09d33a5defc1dadb23e6ddd94453e625c733bc45d440fa8d3b74
MD5 hash:
bedb2a46672f63bd411d14b47390993f
SHA1 hash:
46419742bb40387073ea92c6db4db83cec06e8bf
Link:
https://www.unpac.me/results/805087f4-00d8-4ddd-88f4-02b9b5599077/
SH256 hash:
15a41e138f4cca68064eac2d4cdb465fc6e44edb3348dcd8b828ee4673a35d37
MD5 hash:
03a1985017658bc9e751b3b62df411db
SHA1 hash:
1aa4fc4b6e135efa02978456b703a0a5c3569c74
Link:
https://www.unpac.me/results/805087f4-00d8-4ddd-88f4-02b9b5599077/
SH256 hash:
5f5eacd77526de995a9caaaa7a963d18c5f7732b22fad8a0151ac8c25c9baad8
MD5 hash:
cd217b0e6e936f9ae9492ec1a089cdcf
SHA1 hash:
14ac87815ea815f8997f0a4c751cc352822a7975
Link:
https://www.unpac.me/results/805087f4-00d8-4ddd-88f4-02b9b5599077/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5f5eacd77526/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f5eacd77526de995a9caaaa7a963d18c5f7732b22fad8a0151ac8c25c9baad8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5f5eacd77526de995a9caaaa7a963d18c5f7732b22fad8a0151ac8c25c9baad8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1829689/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1829720/

Comments