MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 747c067409c614f5f526987561ecfb860d9913432e62fdf2622c61d92e9323db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	747c067409c614f5f526987561ecfb860d9913432e62fdf2622c61d92e9323db
SHA3-384 hash:	378463649882c63bb718934da7b5dfc5a430518f5e14199c12d5c846159030f68ad7913afbf282b633ca32a2f8dcb33a
SHA1 hash:	88d50a29bcce3eca0f45834815b5882df5bddb02
MD5 hash:	c18647f453ddd11f8fc32c5c11af8c78
humanhash:	glucose-solar-may-princess
File name:	747c067409c614f5f526987561ecfb860d9913432e62f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	458'240 bytes
First seen:	2021-12-21 07:00:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	311650a1714368ee828d4a890d9baf3c (2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	6144:CBfvECkKvJehoH8RarFHi7AW0WrLaWGm3tdSJp/8aQs3veC4G:+fdFUarVQAWRrLaWGi/SJp6gve9G
Threatray	4'233 similar samples on MalwareBazaar
TLSH	T141A4C010F7A0C035F5B222F4497A92B8B93E7DE1A76450CF22D52AEE66346E0ED31717
File icon (PE):
dhash icon	2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.229:11452

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.229:11452	https://threatfox.abuse.ch/ioc/277936/

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

747c067409c614f5f526987561ecfb860d9913432e62f.exe

Verdict:

Malicious activity

Analysis date:

2021-12-21 07:04:02 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/abd922ef-307b-48c9-bec5-ec5e8ffc7c96

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/215573/

Detection(s):

Win.Dropper.Tofsee-9916986-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

DNS request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2818/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed tofsee

Link:

https://www.filescan.io/uploads/61c17bb0ec6c6c14a9e6eec1/reports/a447ed24-a02c-40d8-9159-10c312668119/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ecfdd095-d287-4902-a504-6cf8afadeb23

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/910786

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/747c067409c614f5f526987561ecfb860d9913432e62fdf2622c61d92e9323db/

Threat name:

Win32.Trojan.StealerGen

Status:

Malicious

First seen:

2021-12-21 07:01:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 28 (96.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=or6am5ajyykpl5jgtb2wd3h3qygzse2dfzrp34tcfrq5slutepnq._file

Verdict:

malicious

RedLineStealer

4ee947c64c25248011ad7d043d257978b1bf9d1c376e7e25a9d332a5e0af8a27

RedLineStealer

6fe38f5b9a96dcd56ee5653030f5fa73fe8653a42ed4a5bf5a12ed916725ab6c

RedLineStealer

9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

RedLineStealer

cb1b3d1bdad1a3e64972a7c902fbe7162b930cc2fbf4dafe5d33b1f2642086ed

RedLineStealer

+ 4'223 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pablicher discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211221-hs782acde2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.229:11452

Unpacked files

SH256 hash:

cf280619a7cf882251d8ef4f1c72643b4d575d81844b7c249d2ad6aa811db7ea

MD5 hash:

87c674b28d52898f67ebd59931bfe7ab

SHA1 hash:

fc8bf6e2d54609fd13a11593695096d98a297796

Link:

https://www.unpac.me/results/32ec8b7f-afcb-4b59-994a-8170c25cf980/

SH256 hash:

e69870d97331c37bfb3b724e96e928e4588f99c66286d8b1e8cd957bccacba6f

MD5 hash:

b6f9b039569832b58fd64c353b716c70

SHA1 hash:

8f8b59e81706e79d270832f437376a69f5844a3f

Link:

https://www.unpac.me/results/32ec8b7f-afcb-4b59-994a-8170c25cf980/

SH256 hash:

ccbb09862f3a83cab41ed2cd4f38c1a4a902298ab0c60c7e7d8e27122caa36e8

MD5 hash:

dd61776a10e71e05ef52a368e6e4acf3

SHA1 hash:

01d051750b21bd2f3365f32e1b0d64a82c895d7c

Link:

https://www.unpac.me/results/32ec8b7f-afcb-4b59-994a-8170c25cf980/

SH256 hash:

747c067409c614f5f526987561ecfb860d9913432e62fdf2622c61d92e9323db

MD5 hash:

c18647f453ddd11f8fc32c5c11af8c78

SHA1 hash:

88d50a29bcce3eca0f45834815b5882df5bddb02

Link:

https://www.unpac.me/results/32ec8b7f-afcb-4b59-994a-8170c25cf980/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/747c067409c614f5f526987561ecfb860d9913432e62fdf2622c61d92e9323db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/215573/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample