MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72d6c13caf04858e548d6203509d3449d70782d7d21e3d6b173ec810ec609553. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72d6c13caf04858e548d6203509d3449d70782d7d21e3d6b173ec810ec609553
SHA3-384 hash: 9aa46b18d39df751c2e145a2edbd35cc012f931f47dc538fbd7773453490edd63686f317fab8efe1f766657c03b6152d
SHA1 hash: f14cff1b83baafd35f3df634016082439255d60d
MD5 hash: d145a2714e9f6a901e0c03212bc364a6
humanhash: wolfram-arizona-carbon-robin
File name:d145a2714e9f6a901e0c03212bc364a6
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:556'296 bytes
First seen:2022-01-26 14:12:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e9d5fdb5cdeb4f77ff187ddc714386f (1 x RedLineStealer)
ssdeep 6144:kbV9vclT+0iDpGaZcMEZq6hDhbbTgxrzI2ArsSAtjd6mKv9QaejWrbS6hB+gFe8J:aUTd3ocfZLDhExlh0jQaejWHr06T0DK
Threatray 168 similar samples on MalwareBazaar
TLSH T144C402C1B55098F1DD394DB3AC3F892116177DBED6E4B62D288AB31A01B325386B790F
File icon (PE):PE icon
dhash icon 13717d4d41414307 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Polaroid Candy MZB (PWL 3008-04)
Issuer:Polaroid Candy MZB (PWL 3008-04)
Algorithm:sha1WithRSAEncryption
Valid from:2022-01-24T16:23:26Z
Valid to:2032-01-25T16:23:26Z
Serial number: 1d5d2e7f3b96d5a141b1fecc7fe4a57b
Thumbprint Algorithm:SHA256
Thumbprint: 55b923f409c0f1d13590c8d0704e58bc44a0e49f8239d0016993367379ef424d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://212.193.30.45/WW/ruzz3.exe
Verdict:
Malicious activity
Analysis date:
2022-01-26 15:43:51 UTC
Tags:
loader trojan rat redline
Link:
https://app.any.run/tasks/7b6363dc-c384-472b-aaca-1975f8700f30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/223303/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38729745.4329.17616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f156fbd73ca9d4648d9c74/reports/4da5d1e3-247a-4293-8497-ac3ece34ecfd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/be21bba1-94c0-4a11-bc00-3137b5c16307
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927960
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72d6c13caf04858e548d6203509d3449d70782d7d21e3d6b173ec810ec609553/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 23:56:07 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
172c3197b51f2568ccc5769d6cb0f069f1eeb3ccbd5ba924aaac80110d9472c1
RedLineStealer
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
RedLineStealer
be69bd213ac047522b6739b7b09c004d772a485359570c9d4e945a845c61c2e8
RedLineStealer
c994b2fe83c2aa581321c4b9f3b0883f41d6fd81db3578dd81907c8aa8009dae
RedLineStealer
dc625670ccd5ea91addb6f60b0de4d367dc18e3f04cf99852a17c20e70ad8956
RedLineStealer
e0453a56a222c1a325d6b9ddc8ce5a692ecfba00664d0e36f9fdad9fde46acfb
RedLineStealer
fb78e43ae17426eb0f2066a30e1eff92116eff495f10f1789f1f69fab3c377c0
RedLineStealer
+ 158 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220126-rjg5xseaf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
19cdbbc3243b404bd216c9820900c5f2843a4b1298ba5f336f2f5b22119ebc60
MD5 hash:
ba7746446e400b7d7915e2efd2f23fc3
SHA1 hash:
e02d70460dc33b6e23abe79870e8fee006c37f4b
Link:
https://www.unpac.me/results/4d4e4f15-bd65-4aff-8988-adb9220b5bcb/
SH256 hash:
72d6c13caf04858e548d6203509d3449d70782d7d21e3d6b173ec810ec609553
MD5 hash:
d145a2714e9f6a901e0c03212bc364a6
SHA1 hash:
f14cff1b83baafd35f3df634016082439255d60d
Link:
https://www.unpac.me/results/4d4e4f15-bd65-4aff-8988-adb9220b5bcb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/72d6c13caf04/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72d6c13caf04858e548d6203509d3449d70782d7d21e3d6b173ec810ec609553

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 72d6c13caf04858e548d6203509d3449d70782d7d21e3d6b173ec810ec609553

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2007449/
Cape
Cape
https://www.capesandbox.com/analysis/223303/

Comments


Avatar
zbet commented on 2022-01-26 14:12:40 UTC

url : hxxp://212.193.30.45/WW/ruzz3.exe