MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 702d02cc220387cd8f2029520cde97bd3879a1e151b198b4e3faea08b808cc9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 702d02cc220387cd8f2029520cde97bd3879a1e151b198b4e3faea08b808cc9a
SHA3-384 hash: e2d35c181237c3592862980e3249d2433726a073a064812b9776b2fb6ff9bdcdde7b14fe95cf9872ceeba9b3e925d384
SHA1 hash: 8c21fcfa81324673baea73cdcb505601aa996371
MD5 hash: 6d8efbdd3c7a04521f1626f515562ef4
humanhash: wisconsin-connecticut-sodium-butter
File name:702d02cc220387cd8f2029520cde97bd3879a1e151b19.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'377'600 bytes
First seen:2021-10-28 20:41:59 UTC
Last seen:2021-10-28 21:59:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 908bea7ee71339f1c35ba419da3ba679 (36 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 98304:F7toNWVGVOx7kaOvz4aLG6R9S9Awhbft:1VGZvz4aypyqbft
Threatray 1'618 similar samples on MalwareBazaar
TLSH T17A162232A7A10055E4E5CC368837FEE470B91B1B8F40A4B677F6AACB18714D0E663D97
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
144.76.156.28:3333

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
144.76.156.28:3333 https://threatfox.abuse.ch/ioc/239353/

Intelligence

File Origin
# of uploads :
2
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6609814701637632.zip
Verdict:
Malicious activity
Analysis date:
2021-10-27 12:41:31 UTC
Tags:
autoit trojan evasion rat redline stealer vidar opendir loader formbook smoke raccoon
Link:
https://app.any.run/tasks/62303bf3-9cf1-4cdc-9db7-516eab9d77c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31330.24665.1077.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/422fc991-d70e-403c-a1a5-f53062d75c4b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878875
Signature
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511309 Sample: 702d02cc220387cd8f2029520cd... Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected RedLine Stealer 2->33 35 4 other signatures 2->35 7 702d02cc220387cd8f2029520cde97bd3879a1e151b19.exe 2->7         started        process3 signatures4 41 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->41 43 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 7->43 45 Writes to foreign memory regions 7->45 47 3 other signatures 7->47 10 AppLaunch.exe 15 7 7->10         started        15 WerFault.exe 23 9 7->15         started        process5 dnsIp6 25 144.76.156.28, 3333, 49742 HETZNER-ASDE Germany 10->25 27 cdn.discordapp.com 162.159.129.233, 443, 49747 CLOUDFLARENETUS United States 10->27 21 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 10->21 dropped 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->49 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->51 53 Tries to harvest and steal browser information (history, passwords, etc) 10->53 55 Tries to steal Crypto Currency Wallets 10->55 17 fl.exe 14 3 10->17         started        file7 signatures8 process9 dnsIp10 23 www.google.com 216.58.215.228, 49791, 80 GOOGLEUS United States 17->23 37 Multi AV Scanner detection for dropped file 17->37 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->39 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/702d02cc220387cd8f2029520cde97bd3879a1e151b198b4e3faea08b808cc9a/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 12:35:52 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oawqftbcaod43dzaffjazxuxxu4htipbkgyzrnhd7lvaroaizsna._file
Verdict:
malicious
Similar samples:
0ac33d8c3cbc892f96da5a1fcbd912f21aa77c464fea12d57651494404831225
RedLineStealer
0c7aaf3999899c4f29ea325f11746ab98462151fa78a15b8ca505973ac71fd02
RedLineStealer
3974c6e4ebb068f2600005739259d63edfac659dea5a3b7d17cd8c7d3e248aa3
RedLineStealer
4d07b5da2a5e18574654be096b110e8df7ebf8d8950239d05d9457562d80e094
RedLineStealer
73d7def516f13281fd06673ef3b5b87eb99ba4f708dbfa78a11bf0de94b23df1
RedLineStealer
bc06c918fab5afbb61d15611dedadbc9012cf9e4979e9d3f261a9046c306bb87
RedLineStealer
be79e9e636884e314d9f302c161d615348cf81d5e6020c988c37e0a541b85236
RedLineStealer
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
RedLineStealer
+ 1'608 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@black_capo infostealer spyware
Link:
https://tria.ge/reports/211028-zg1hgscbg4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
144.76.156.28:3333
Unpacked files
SH256 hash:
ccb77e52655320f4475dd965c444d6f109425046638c2fed5141dedf16421262
MD5 hash:
6a015f530d401f2e7fa0b9538e0a167a
SHA1 hash:
3efa621cb18c44a4f615210c50ab7e13d4f1b603
Link:
https://www.unpac.me/results/04b074e7-3596-4f4b-8f45-2833d0786108/
SH256 hash:
702d02cc220387cd8f2029520cde97bd3879a1e151b198b4e3faea08b808cc9a
MD5 hash:
6d8efbdd3c7a04521f1626f515562ef4
SHA1 hash:
8c21fcfa81324673baea73cdcb505601aa996371
Link:
https://www.unpac.me/results/04b074e7-3596-4f4b-8f45-2833d0786108/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/702d02cc2203/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/702d02cc220387cd8f2029520cde97bd3879a1e151b198b4e3faea08b808cc9a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments