MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7239a4b628d42d5fc2e42f4874b338d3477254a356726540da562e8cd654c15c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7239a4b628d42d5fc2e42f4874b338d3477254a356726540da562e8cd654c15c
SHA3-384 hash: 8eaabb58d1fc9026f23ac04ff7f8ca07c674538f2a95e6e38dcc28a7fcfae30dbfb8906e5540484b80e47f2f8e7865b1
SHA1 hash: 272de727c73d4dd3fd456c623207836f710bd37a
MD5 hash: a99df7bbe1ed0688f16ad197a95f48a8
humanhash: sweet-july-seventeen-delaware
File name:CosmoWars Setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'998'480 bytes
First seen:2022-10-20 18:58:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a5eb0f81fa12ecd499c701ada492a1a8 (2 x RedLineStealer)
ssdeep 49152:/ws26qwHNKzBfzWK/nsu2jcw0vEHn6U9JZD276ObNpfodCb9yILMP9gat9CewcHT:oXsSuRkaG9Cp9JHVgpzGg
Threatray 151 similar samples on MalwareBazaar
TLSH T11686237362551141E8D58836C823FED032F727BA9B81AC35B6F7F9C725728E4E642A13
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e0c08045c392c4e0 (1 x RedLineStealer)
Reporter iamdeadlyz
Tags:CosmoWars exe FakeExoMiner RedLineStealer


Avatar
Iamdeadlyz
From cosmo-wars.com (impersonation of ExoMiner Android game [com.eldring.exominer])
RedLineStealer C&C: 77.73.134.13:3660

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
CosmoWars Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-10-20 18:59:50 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a723d07b-c8b8-4671-9781-33ea897743ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322112/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13142.20884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/44027/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/63519a78339362a6061b2891/reports/8e5870fc-dc43-46bf-8fc7-52b60d630bb1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2b8ed5ae-c6ed-49ca-bc4d-83604016b1f4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094431
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7239a4b628d42d5fc2e42f4874b338d3477254a356726540da562e8cd654c15c/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 22:07:33 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 42 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oi42jnri2qwv7qxef5ehjmzy2ndxevfdkzzgkqg2kyxizvsuyfoa._file
Verdict:
unknown
Similar samples:
0265914b01090e1992ecd3173fc88ebf5165c41c5268665cef951b4ef0a595b2
RedLineStealer
21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421
RedLineStealer
589c3ca80e2a9d154ca78a00410ced5f3eb542432c03e2b43323b39049b5b2c7
RedLineStealer
7a2d18d2dcaaae50afb1f0aeca3d2aacb172471ec1fa11877c8bb731586ba711
RedLineStealer
90c3df045da659194fcf00893e7cd940de6dff4f17830444501e06d1488f06ec
RedLineStealer
9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b
RedLineStealer
+ 141 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
spyware
Link:
https://tria.ge/reports/221020-xm2xdsaee8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6d5ca2a3-5cbe-43a3-bf7b-55712e3ae91f
Unpacked files
SH256 hash:
7239a4b628d42d5fc2e42f4874b338d3477254a356726540da562e8cd654c15c
MD5 hash:
a99df7bbe1ed0688f16ad197a95f48a8
SHA1 hash:
272de727c73d4dd3fd456c623207836f710bd37a
Link:
https://www.unpac.me/results/fc99c60c-f3e4-4b4e-a0b0-9b2af35f8fad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7239a4b628d42d5fc2e42f4874b338d3477254a356726540da562e8cd654c15c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

zip d1a8ae6e195921b1d6b338c66568875f7e3ef2c796c1079c511e57b899ff44ca

RedLineStealer

Executable exe 7239a4b628d42d5fc2e42f4874b338d3477254a356726540da562e8cd654c15c

(this sample)

  
Dropped by
SHA256 d1a8ae6e195921b1d6b338c66568875f7e3ef2c796c1079c511e57b899ff44ca
  
Dropped by
SHA256 8e54534f774632a12adbd7732b2816dda6bf4e034ddd2531de4909085bec767e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/322112/
  
URLhaus
https://urlhaus.abuse.ch/url/2379793/
  
Dropped by
MD5 f2578427235abbf4a829dab58b51bf6e

Comments