MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7363f484ec6bce6b5bb1c7f068c0631fd9143121cf4db4a7c2bb0dde0ae08e94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	7363f484ec6bce6b5bb1c7f068c0631fd9143121cf4db4a7c2bb0dde0ae08e94
SHA3-384 hash:	9c3dae10d56363252351824d59e7d2f5ed08e7cbaeac365bb3d1dfc75d7856ad5ebd1911143ffa12f153568dc2b7a041
SHA1 hash:	ea0462b9d4ec38f86da2056e03e98c2c3499780c
MD5 hash:	ef48779f20af3085bb99f7b7275b96b5
humanhash:	fanta-arkansas-four-harry
File name:	7363f484ec6bce6b5bb1c7f068c0631fd9143121cf4db.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	425'991 bytes
First seen:	2022-03-11 08:07:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	79308deed746567d711b667ee2d6efa1 (10 x RedLineStealer, 2 x N-W0rm, 2 x RaccoonStealer)
ssdeep	6144:Fn7vye1hX9DYGBjgQhR7cG+sgkokddTZ1aHbP1/k4Wy/adMgDRy+DoK:F7hTXFPBjgQhUsNPdv1KVPR/anNf
Threatray	1'755 similar samples on MalwareBazaar
TLSH	T1E494BE10BA90C035E5F326F855BA936CBA3E7EA19B3454CB52D46BEE56346D0EC3130B
File icon (PE):
dhash icon	50307088b2c4d4cc (10 x RedLineStealer, 1 x N-W0rm)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.67:44400

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.67:44400	https://threatfox.abuse.ch/ioc/393504/

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/249326/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/622b036fb94fb38cb45a6ef8/reports/1d447312-eed9-4dd5-a91a-8ed185fb4ff2/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5ae72e50-20e6-408c-b802-438f47eaeda5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/954730

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7363f484ec6bce6b5bb1c7f068c0631fd9143121cf4db4a7c2bb0dde0ae08e94/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-03-11 08:08:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=onr7jbhmnphgww5ry7ygrqddd7mrimjbz5g3jj6cxmg54cxar2ka._file

Verdict:

malicious

RedLineStealer

0f0bbf5596625740d4b2d2b8701fbdd7d07f214b1ae67d753b58025504ffe067

RedLineStealer

40b63795dc1177ff8d528455bfb9bf9d50cfb11eff0eb66b15b245e56d59f0d6

RedLineStealer

8b6318c05cdbd64828da21d58cc6ded6dbaaf4e445827cfca04818600476770a

RedLineStealer

9b5f11cb636c00558e47f9c3d5a706c340b7b8ac34edf80cb71cf7ec70091dca

RedLineStealer

a9a43a86aa3618296201e620b18ef1223dede66ecbb67e17fc6477a7d75f3d86

RedLineStealer

ac78847643cdc130d273246124326bf004cab019f0b4aede23fb9f949df17f4c

RedLineStealer

c5ecc9c84b230535de6333c8559c4e7d8dc66834fddcb6058fe1cd3569076295

RedLineStealer

dcf51fb55020930d3b0349f43e0f53099c3329bb181387419f8fa28040cee35a

RedLineStealer

fe190943733db4d17a62013c2a8028ea4735d47903c08def8e0d4581737919c5

RedLineStealer

+ 1'745 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ww discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220311-j1lwfagfb6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.106.191.67:44400

Unpacked files

SH256 hash:

c677570564d65e8096aa827cb3f8921ff625c7ff1c3dcf279d6615152cbb1a31

MD5 hash:

7002d063e468202b5e5021e3d5fe481a

SHA1 hash:

74b05c3cc7b014d85fad65dffc10503e74b81534

Link:

https://www.unpac.me/results/15bfdb12-bd20-4b4d-aed1-63f0de9d6169/

SH256 hash:

872b70cbcfff347c037512b7cdb4f20bbbe12a7d4f626b3bd603fecc9d223dbb

MD5 hash:

7e000a1b4de1235793d391334171388f

SHA1 hash:

47a9873f8d1020549fb2f73d514012e31ab02b90

Link:

https://www.unpac.me/results/15bfdb12-bd20-4b4d-aed1-63f0de9d6169/

SH256 hash:

1d877b01e1bd2207a6cc755e69fc4cd1d2eaadc20d2158c016ddc748e0e432b6

MD5 hash:

9f70fd3bf3906c87b7d3639c34817f89

SHA1 hash:

3e159a286a7ff698db4f28958501d211d345ae2e

Link:

https://www.unpac.me/results/15bfdb12-bd20-4b4d-aed1-63f0de9d6169/

SH256 hash:

7363f484ec6bce6b5bb1c7f068c0631fd9143121cf4db4a7c2bb0dde0ae08e94

MD5 hash:

ef48779f20af3085bb99f7b7275b96b5

SHA1 hash:

ea0462b9d4ec38f86da2056e03e98c2c3499780c

Link:

https://www.unpac.me/results/15bfdb12-bd20-4b4d-aed1-63f0de9d6169/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7363f484ec6b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7363f484ec6bce6b5bb1c7f068c0631fd9143121cf4db4a7c2bb0dde0ae08e94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249326/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample