MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62d2c5b180e6523289d12df913648a1872c6feff6b4f45bb64705bbe9492b4da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62d2c5b180e6523289d12df913648a1872c6feff6b4f45bb64705bbe9492b4da
SHA3-384 hash: a5ecff1b22bdbb71653b068138b8d3da8706e77aba8f35416dea9fd90ccd0fe70c45b73ea87ec9cdba43865ddc1f765e
SHA1 hash: 3a3fadec1e199c33d6d5688e153868be9eedb329
MD5 hash: 07c656644707998a6672e1cc7b3a9ac8
humanhash: seven-jersey-kansas-network
File name:07c656644707998a6672e1cc7b3a9ac8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:406'528 bytes
First seen:2021-10-08 04:50:52 UTC
Last seen:2021-10-08 06:10:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 54bf62ec6910c4bfd61455c421ef149b (4 x RedLineStealer, 3 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep 6144:VyEaiOY9xKx+bF3stvwxprRvmO23LsAFg25kqDPdJGtrUoCCvWulDKUtW1kMdZCF:AENVxKw2vwP2oKk2VJGtrUUvWWKUtN
Threatray 3'159 similar samples on MalwareBazaar
TLSH T1BC84CF10B7A0C035F2B756F44A7A93B9A83E7DA1673594CF12D566EA4B34AE0EC30317
File icon (PE):PE icon
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07c656644707998a6672e1cc7b3a9ac8.exe
Verdict:
Malicious activity
Analysis date:
2021-10-08 04:55:58 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5b916414-9a9d-4a46-8f0d-f618891b21b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196027/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.3402.548.6323.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615fce3bb95458900cdee19b/reports/21492be8-3bb5-4f71-b8b6-1ee4586faee9/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/daa1874b-ed8d-4ee9-9e93-e2ad90b3b0a3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866860
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62d2c5b180e6523289d12df913648a1872c6feff6b4f45bb64705bbe9492b4da/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 02:40:00 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0d26ea04ba2af21fab0fbef4ebe8331db037f0d540bc569b5591c2f613a502f4
RedLineStealer
147a81a818e41f31acd78476ad65f7e59ff3c3bbd85626d91456838c8acacd11
RedLineStealer
18a991ca66e5a2f3ba4b92dd18171eaa5f7306b8cd7d9aa461e4aaef158e7b5c
RedLineStealer
319d10acfc388b91ab59503ab0d16ca888abaf05fa8e6ba4b1f7a34a61228b5f
RedLineStealer
3c5072f106c32fcabec7964aeefb5133a89e4d973efcc67d88603e53a6dfad48
RedLineStealer
3eab904378106422ddb6fac7d20dd694919c0b69fe09231435d781e0f1507e0a
RedLineStealer
4aa2cde2e72d591091967790e676beca8c91d01be47dec4bacca7c38bfbc91c2
RedLineStealer
5cdca6838044c712d83b192f693ae6da288d6cd065f431014f5569cbbe20b589
RedLineStealer
c569326abd44e1e6d0b0a843c41f39c8b06bd1e0085233bdb4024a2289a811cc
RedLineStealer
f59e70c1e2703fd8d6016bad2f6b4ebd7824b52eab2bf63a0fdc96f0a3d16011
RedLineStealer
+ 3'149 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:paladin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211008-fgt6xsddgm/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
178.63.26.132:29795
Unpacked files
SH256 hash:
1b8380160e547aeefc07dfffea1aeb99455605217a59ddfa97b94d30c5ad0498
MD5 hash:
1d855f7b17ad5be5f39a2a7b275b3653
SHA1 hash:
9171599cc03210b0df3ee93cf0735f989df65c2e
Link:
https://www.unpac.me/results/1dc58db7-64a0-4c81-9b81-04c2e1ab6456/
SH256 hash:
63daa37ed8cc613c8c14e84659618983046a93046698a4094219d0b485332dc7
MD5 hash:
6f233a4c1dba61a7243b0d06b0cf388c
SHA1 hash:
658fd47cd67a8c60327e5bdd46af77fd56903fd4
Link:
https://www.unpac.me/results/1dc58db7-64a0-4c81-9b81-04c2e1ab6456/
SH256 hash:
670d4a54ddad06d7d3bfbc77e5496322cb31304f2e3ddea94b9cbc4017a1498e
MD5 hash:
157295887e68ed133a79ed6887b839c9
SHA1 hash:
4d606e27b46e75307256a1e1677fb1be630a99b5
Link:
https://www.unpac.me/results/1dc58db7-64a0-4c81-9b81-04c2e1ab6456/
SH256 hash:
62d2c5b180e6523289d12df913648a1872c6feff6b4f45bb64705bbe9492b4da
MD5 hash:
07c656644707998a6672e1cc7b3a9ac8
SHA1 hash:
3a3fadec1e199c33d6d5688e153868be9eedb329
Link:
https://www.unpac.me/results/1dc58db7-64a0-4c81-9b81-04c2e1ab6456/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/62d2c5b180e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62d2c5b180e6523289d12df913648a1872c6feff6b4f45bb64705bbe9492b4da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 62d2c5b180e6523289d12df913648a1872c6feff6b4f45bb64705bbe9492b4da

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1653255/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196027/

Comments