MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d
SHA3-384 hash: bfc2f2e0a01b3279662f6fac81a549d85cb920c60e9ef31ad1c8b0c4a929d2ab3b5a06261f8ec629e8318d2733c21bd5
SHA1 hash: 8a31397d911774ea29d7bfdb58c8662aa0b264c8
MD5 hash: e0d1e8998f0a056402f814cd753ea142
humanhash: mexico-idaho-georgia-three
File name:7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:350'720 bytes
First seen:2022-03-03 21:01:46 UTC
Last seen:2022-03-03 23:05:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0623e16f7ad169cff85e84a96d4a7da6 (2 x Gozi, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep 6144:D/Lz987eOKGxe4YBtVRmA1XzUBXD/tYi5ncyRwaX9lA50tHb:D/n987EGEhDlzU/0yNXsI7
Threatray 3'751 similar samples on MalwareBazaar
TLSH T1FD7401263A40C476C5C214764879DBB15FBFA8302460AD0BB76427EF6F33B92677931A
File icon (PE):PE icon
dhash icon 38b078eccacccc53 (67 x Smoke Loader, 29 x Stop, 20 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
109.248.175.92:30766

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.248.175.92:30766 https://threatfox.abuse.ch/ioc/392367/

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2022-03-03 21:01:46 UTC
Tags:
evasion trojan socelars stealer loader rat redline phishing opendir vidar
Link:
https://app.any.run/tasks/494e113a-424f-4f4f-aac0-66617da0516b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247110/
Detection(s):
Win.Dropper.LokiBot-9940755-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Launching a process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8153/overview
Behaviour
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5669e40d-b455-46ff-93b3-b4cf624a9740
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950387
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 21:02:11 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofesa3xw32ffzvzd4olk4lcgets6yig74x3q7offpei2a4fcdv6q._file
Verdict:
malicious
Similar samples:
123f3e76c54fff0e2b50c7a5501b5d531ad16c6eebe301d52a72ba6f7d4efd8a
RedLineStealer
3f16c127db5d1896a3dfabdf6dff5a16027165d5a0981e2bd32f9556db9e19ee
RedLineStealer
6fd8616b2ae9f0c04f7bd91f87e7efea5a0e488001fd37ff1b523d0b36e8f027
RedLineStealer
a70e4487b1342707ba6ae5a1b51796542f65f904d6778780f324c459e306152a
RedLineStealer
ac11513e0ae44da690d7456df22d6874e0b29f97b5c0aa9286d7c59492f323f3
RedLineStealer
b54930e793f340f807ab2492ea8dd18263ff267706e9b31ac4ce71e9c5fa7c4c
RedLineStealer
be336ff807ecd120dca270ee1fae0b2284d2d112d6f1ed9baa875824146befa8
RedLineStealer
d048fe8895c8e37eccb029edee49bc476694b63b325ae5931e57059430572e72
RedLineStealer
+ 3'741 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:test discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220303-zvfegacec9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
109.248.175.92:30766
Unpacked files
SH256 hash:
086d42558479f48f9b83eecd9a660309fe8616dee27f1a139047e32f88b4e5d3
MD5 hash:
252d99f35c4b9ddd9031a673ed0594ef
SHA1 hash:
fbfccfb12d5d93557c2771de8a1313639d01c973
Link:
https://www.unpac.me/results/6e140c44-c40a-44ff-a1aa-ca97290a586c/
SH256 hash:
3aecb6a75f5d3ce528040282432c2e186677af41d89fb58387ba4fe8628a44c4
MD5 hash:
ab3396f5d11c5e3577b4e155bcc828c6
SHA1 hash:
eb0d3b65e230e1bc285bc72c6791b27deac04d86
Link:
https://www.unpac.me/results/6e140c44-c40a-44ff-a1aa-ca97290a586c/
SH256 hash:
1c30578558c4472fd77a5ad3a0646e977afda8f36f8b0e22bfcf12788d019396
MD5 hash:
778942f870dec25bc247be3f439b9be7
SHA1 hash:
57c4902c5089e5b61aa0e91d3830b47f832cc253
Link:
https://www.unpac.me/results/6e140c44-c40a-44ff-a1aa-ca97290a586c/
SH256 hash:
7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d
MD5 hash:
e0d1e8998f0a056402f814cd753ea142
SHA1 hash:
8a31397d911774ea29d7bfdb58c8662aa0b264c8
Link:
https://www.unpac.me/results/6e140c44-c40a-44ff-a1aa-ca97290a586c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7149206ef6de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247110/

Comments