MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7084f1ae45733b1311a449d2a33202b5ca93363755fc6a746b37ed934b8fa9c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7084f1ae45733b1311a449d2a33202b5ca93363755fc6a746b37ed934b8fa9c9
SHA3-384 hash: 6b495c8ef2fdeada5ad62948ff93771ad0cab0f31267195ae702e12089bce6a184783e50105893e1da0062840962cf99
SHA1 hash: 138b5ff59f733eed7ed135b7e11a7597081facff
MD5 hash: be23958ce4cb7c999dddca276120d276
humanhash: quebec-arizona-violet-massachusetts
File name:7084f1ae45733b1311a449d2a33202b5ca93363755fc6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:371'200 bytes
First seen:2021-06-30 22:56:05 UTC
Last seen:2021-06-30 23:45:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56277425cc4e9198f16e54164d30a11e (1 x CryptBot, 1 x RedLineStealer, 1 x Stop)
ssdeep 3072:QnZGBiNW5OCcUlRE1BnSyjKGTTMowq0yTD9rk55syRSAvxQVEDvzFbX:QgBi0calS7KGTT8hK9rSsBAbvB
Threatray 1'405 similar samples on MalwareBazaar
TLSH 0984E0627950C872C582443058A5FB7197AAFD615AB3D207F3A92E6F7F232C116F231B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.197.74.223:15027

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.197.74.223:15027 https://threatfox.abuse.ch/ioc/156524/

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60dc99_Outbyte-PC-Repa.zip
Verdict:
Malicious activity
Analysis date:
2021-06-30 19:16:52 UTC
Tags:
trojan evasion stealer vidar loader rat redline ficker phishing
Link:
https://app.any.run/tasks/6858b1bb-edb8-4017-b3e4-518361aa3af0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169019/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.6152.28083.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f44dff80-ec74-47d6-8c33-5ae884d9c649
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810262
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7084f1ae45733b1311a449d2a33202b5ca93363755fc6a746b37ed934b8fa9c9/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 22:56:11 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=occpdlsfom5rgenejhjkgmqcwxfjgnrxkx6gu5dlg7wzgs4pvheq._file
Verdict:
malicious
Similar samples:
07f262884e4c62a48eb9916217a8adca460f41f7ada071f8a0d5fa524b812d47
RedLineStealer
0acd7696d5dc482aa3b4110fd60c6b9f2df88545f6cf9986714a984673965249
RedLineStealer
1f090615b025ca978616652c41369f2331100c7650dabd92ee0fa650f29de47d
RedLineStealer
2cd806676a941c35dafb31a02bfd75d6acecc3c6fb8567fe2b5c1e41bd6a59e3
RedLineStealer
7ff8de714cd1be1409b0c13a946c21f945a0bfdc8fd7e0b1a0f4e20f3ba0e80a
RedLineStealer
8868ce65c7fb73b3b89c48f97e16249139f94e759ff44d955e493f0651ae5f3b
RedLineStealer
9c57d0fc5a49debe9dbb49bfebe011bcf249542f6bbd4eefd41c75c3b5ff7d51
RedLineStealer
a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b
RedLineStealer
aac29d1263aa4cd9db1afe81a56218321daf3d610eb972a2365379b71ab5c392
RedLineStealer
d2e0e8c973c2e376d189271f581d1ffec730f8ca41dfc1e3d9ef0b675366ee9a
RedLineStealer
+ 1'395 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:#proliv1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210630-yfvqwgdwf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.197.74.223:15027
Unpacked files
SH256 hash:
be37d56cb455b5c944aa53d8ac9d9476a320403cf85c699a2b9b1c2f2a064518
MD5 hash:
5c3f5ec6df1e7c3519dbfcfdb9b80794
SHA1 hash:
ebe18a098f3527f34b954035955331cb7d62917f
Link:
https://www.unpac.me/results/c586934e-a41c-4c24-b101-0207075baeba/
SH256 hash:
1a2312b6d3255dde04cfbbb0330373d24a48dec7184650162b08160d1c7dfa12
MD5 hash:
c3137fa4aa9a4e238af33bdbe79588ad
SHA1 hash:
c50aab02810e04abe455de144cc8aff065b94f50
Link:
https://www.unpac.me/results/c586934e-a41c-4c24-b101-0207075baeba/
SH256 hash:
e2dba8e4490144adc741f347d7d7b33aa2ebe82d41d70bb1c88c2bf4b13798e7
MD5 hash:
e98cfc6b3eb16dd86bb79ffb76e91cd6
SHA1 hash:
89ed7e80d0479194995db6a96dc94fbf372d5ae1
Link:
https://www.unpac.me/results/c586934e-a41c-4c24-b101-0207075baeba/
SH256 hash:
7084f1ae45733b1311a449d2a33202b5ca93363755fc6a746b37ed934b8fa9c9
MD5 hash:
be23958ce4cb7c999dddca276120d276
SHA1 hash:
138b5ff59f733eed7ed135b7e11a7597081facff
Link:
https://www.unpac.me/results/c586934e-a41c-4c24-b101-0207075baeba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7084f1ae45733b1311a449d2a33202b5ca93363755fc6a746b37ed934b8fa9c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7084f1ae45733b1311a449d2a33202b5ca93363755fc6a746b37ed934b8fa9c9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/169019/
  
URLhaus
https://urlhaus.abuse.ch/url/1414749/
  
Delivery method
Distributed via web download

Comments