MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7171bc88e1eda14767efb89c9ff8da5b8bb8ef65a1daa4d8c71d11026936278e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7171bc88e1eda14767efb89c9ff8da5b8bb8ef65a1daa4d8c71d11026936278e
SHA3-384 hash: 927d874c0f364d6901c84f6d42b91d32542c0b92c7b33c99e4ec8ccad389eaf99a2c22b4d4315a3284f44d895c4789f8
SHA1 hash: 63a0b73aea08ba0b279e6aece719a308590eacd8
MD5 hash: ff7804ed1b38116017c4ea9434c22e31
humanhash: thirteen-florida-sad-enemy
File name:ff7804ed1b38116017c4ea9434c22e31.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:15'095'296 bytes
First seen:2023-10-05 17:50:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 393216:VNLLhaFCJF8OKsvY9YWcUjm2gfytMQKR:bMk8vTYWckmzfZQKR
Threatray 308 similar samples on MalwareBazaar
TLSH T109E6332C03D8220DE0A134F18A5254B927B69E0DD42EEF46E74BF717F4BD366692D643
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a201e01887f01ca2 (4 x RedLineStealer, 2 x Adware.Generic, 1 x Formbook)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.67.231.23:15378

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.18654.16466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/7171bc88e1eda14767efb89c9ff8da5b8bb8ef65a1daa4d8c71d11026936278e
Result
Verdict:
MALICIOUS
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af8f21e5-d6fa-4e97-82b2-d3b74d367509
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320487
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7171bc88e1eda14767efb89c9ff8da5b8bb8ef65a1daa4d8c71d11026936278e/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-05 17:51:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
21 of 35 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofy3zchb5wquoz7pxcoj76g2lof3r33fuhnkjwghduiqe2jwe6ha._file
Verdict:
malicious
Similar samples:
1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
RedLineStealer
23b218e595cc1407a8bf940048ae120061ef7dafb7240d5d313a2c22a3548d0e
RedLineStealer
2b0f279b86a6a69f395e2570b50690bc46ad4c7521b6351b89fbd7b35a0da019
RedLineStealer
370b12fd3dd8a9e65e3b8257072b6a79bfc17844d685496ad491b80dfc8adf27
RedLineStealer
64b4fdff6a88ebf1ba203f97e6a6d0a5428033bc68dbbba82a617b45f3b49dab
RedLineStealer
747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369
RedLineStealer
7e93fa1eab66dd0436c705a8d5163e850d6e0a67374ca7aefb4c3cafd8145394
RedLineStealer
89adc6d8ba1275e2de3434cd3c98382acb2a0dfe1b0f1eb5c802ac8a0bb6ba54
RedLineStealer
a256cdcf68d1a64bdb3db85f88ec27da75a032f338d8740cffcbdf66b85f9d74
RedLineStealer
b1838dc1e966a360289a58a00daee92fcf223d430d9bb4771d457b8739c8179e
RedLineStealer
+ 298 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/231005-we54eafd99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Unpacked files
SH256 hash:
3e00105091fb66c5cbef0d9cc424bb9f2f94bbf734ffc953f0d3fcaba4172cb3
MD5 hash:
aaf6abf0bf9da119813dcf26f9df6e99
SHA1 hash:
d9c55cbec52e19d583f1d3e566abe4cfa7305909
Link:
https://www.unpac.me/results/fe78d971-7000-4f61-ba13-dd8d55c956a6/
SH256 hash:
fa9c73b1973cc52a4ac70e8dc043a9f1fea07e6c92c672964fe96d19cb153a7d
MD5 hash:
126f138241eac58e3c316b0c9ed5dd78
SHA1 hash:
ca83827f3a8d46e71df3e3dbbccbf21fc322ec37
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/fe78d971-7000-4f61-ba13-dd8d55c956a6/
SH256 hash:
7171bc88e1eda14767efb89c9ff8da5b8bb8ef65a1daa4d8c71d11026936278e
MD5 hash:
ff7804ed1b38116017c4ea9434c22e31
SHA1 hash:
63a0b73aea08ba0b279e6aece719a308590eacd8
Link:
https://www.unpac.me/results/fe78d971-7000-4f61-ba13-dd8d55c956a6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7171bc88e1ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7171bc88e1eda14767efb89c9ff8da5b8bb8ef65a1daa4d8c71d11026936278e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_stealer_bytecodes_sep_203
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7171bc88e1eda14767efb89c9ff8da5b8bb8ef65a1daa4d8c71d11026936278e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715464/
  
Delivery method
Distributed via web download

Comments