MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73a53f8b8068543cf8d1219a2fdc671ed53d3602ae6c5609b34dbb34521b0178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	73a53f8b8068543cf8d1219a2fdc671ed53d3602ae6c5609b34dbb34521b0178
SHA3-384 hash:	09084af6cf939f828ea84310d3041379b93ae2df15db618e20551f30e549eaf17a775aaca0d033c580d69cf82065274a
SHA1 hash:	4bb839757cd08dae0c37d1b7704e9201f4b63246
MD5 hash:	4ecb793be8d8d411d3beac353b9b4ad7
humanhash:	twelve-blue-failed-failed
File name:	73a53f8b8068543cf8d1219a2fdc671ed53d3602ae6c5.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	420'875 bytes
First seen:	2021-12-18 11:06:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	41c28fe7acb4d2c92a8bad32895fbc24 (7 x RedLineStealer, 4 x ArkeiStealer, 3 x Amadey)
ssdeep	12288:NPEibfxquEap9AhwQb7tMm4xWuBtUwadyUrHQ:NPEipN9AhwQHtmtUdyg
Threatray	4'042 similar samples on MalwareBazaar
TLSH	T1C494CF00BBE0C035F1B352F449B5C7A9653E7EB16B25A0CB62D427EA5A346E4EC7134B
File icon (PE):
dhash icon	5010f8ece06c6444 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.240:46257

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.240:46257	https://threatfox.abuse.ch/ioc/277335/

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

Win.Malware.Sabsik-9916379-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2464/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61bdc0d94ab5c44cbf47beaf/reports/390db9f0-cc6b-4a1f-937b-c018a33e787e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/41ff9b57-2657-4a65-ada2-fb6ee40ea83e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/909499

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/73a53f8b8068543cf8d1219a2fdc671ed53d3602ae6c5609b34dbb34521b0178/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-18 11:07:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oost7c4anbkdz6gregnc7xdhd3kt2nqcvzwfmcntjw5tiuq3af4a._file

Verdict:

malicious

RedLineStealer

45752903cbc98f5dd07c94dea481eabf17a7b2b659a60fdfa619fea7f7eef2e0

RedLineStealer

61012d16ce5716684e6755935387994e4916d3fcdc295d2ac8f02e688581c2ed

RedLineStealer

8b036689623b446d78e5341d89f79e7c521008dc1390fcc5477deb90787880f0

RedLineStealer

b31ed8b0d13dc24c0466a3516b7681793f7a330530bc5af5a11f201d98798ffb

RedLineStealer

def1c6c0f612e6c8f33b57ff702fa14c8c36ca1fad55a00bd2f18789401c236d

RedLineStealer

e5127a9ede19896dc5b7d164dc332251b03e3189ba66a972ac47f74b4402399d

RedLineStealer

f42ab6fefce253e5db737f05281964c50ec960e34655722d55e458e4f50633be

RedLineStealer

+ 4'032 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:170 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211218-m7zmnaffgr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.240:46257

Unpacked files

SH256 hash:

eeca0dad743736c8a15151b3185e1a4fcd368fde8336d33e9c4b2371fe7efbde

MD5 hash:

9aeb7624a3e9dfe978992a04d786535b

SHA1 hash:

7ada1dc5fc79cfaed7de873e4fd913747fe53184

Link:

https://www.unpac.me/results/052bb4d7-8a69-49cc-b4cc-4eb2ed8184d6/

SH256 hash:

e7f171237b013f4d91d87d2d50426c8ba911459f7269b4d4f57919748a738c45

MD5 hash:

796975467239e47382d2b30ffc745a7e

SHA1 hash:

4a94d275702f796f502f9f2830c6dc5e4e261e12

Link:

https://www.unpac.me/results/052bb4d7-8a69-49cc-b4cc-4eb2ed8184d6/

SH256 hash:

bead33b1c8ba6580506505fe7c4e0c01ab9d63fba5cbcee44c6409c08c2c5a59

MD5 hash:

3554fad347ec20642834c2f134c3c11b

SHA1 hash:

13ca25f2935c4dc59ccbfb1dc8141f92deee8194

Link:

https://www.unpac.me/results/052bb4d7-8a69-49cc-b4cc-4eb2ed8184d6/

SH256 hash:

73a53f8b8068543cf8d1219a2fdc671ed53d3602ae6c5609b34dbb34521b0178

MD5 hash:

4ecb793be8d8d411d3beac353b9b4ad7

SHA1 hash:

4bb839757cd08dae0c37d1b7704e9201f4b63246

Link:

https://www.unpac.me/results/052bb4d7-8a69-49cc-b4cc-4eb2ed8184d6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/73a53f8b8068543cf8d1219a2fdc671ed53d3602ae6c5609b34dbb34521b0178

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/214972/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample