MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7485557f72b02e1e7b0a69e07ec721065091640630b1b3a80b0a8ee0c6cdda57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7485557f72b02e1e7b0a69e07ec721065091640630b1b3a80b0a8ee0c6cdda57
SHA3-384 hash: 518090b1d323b5f37bef8481510b3d4d6f9d213d2140f1377f5ee8e5055a7398a7f35a07ba94d472d28e5466e93a234d
SHA1 hash: 99045594d27729c7d70f953e1418153a583fdb02
MD5 hash: bba6355ebedd92c3517ac7697e4055dd
humanhash: cold-iowa-echo-utah
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:389'632 bytes
First seen:2023-09-27 14:44:47 UTC
Last seen:2023-09-28 10:50:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 73011e4ba8dc0b0dfec2e41202c785bd (13 x RedLineStealer, 3 x MysticStealer, 2 x Amadey)
ssdeep 6144:foCtVTxu4YKkt4HDw93MmAOkFKp8YNXILe2xKICHBFnnn6jAC3viKC:foCxu4YKLma02YNXILGBFnnn6jAkiKC
Threatray 18 similar samples on MalwareBazaar
TLSH T1DD848C04385EAAB0CFB769310D61C734877E94680736D877D390FA9A6613BA0C27E376
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc52355237_666247435?hash=KEnlb7SHZzcgAosPsP7eUqDszgM6qj3gpeyvtBKbJcz&dl=I2QJZNsj7DDX0Run3m0vqPQZsrkEiXZWzWDQIvTz0pD&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
3
# of downloads :
286
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-27 14:46:36 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/1f1e9a3b-323a-4571-86e2-3b0bda4d8f2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451619/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61437.23697.28581.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Modifying a system executable file
Delayed writing of the file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Sending a TCP request to an infection source
Stealing user critical data
Infecting executable files
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin shell32
Link:
https://www.filescan.io/uploads/65143ff032ffdb7a7a16393b/reports/52efe4a7-d8e4-4e28-8b13-f6d7348743b6/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/7485557f72b02e1e7b0a69e07ec721065091640630b1b3a80b0a8ee0c6cdda57
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b337c378-5454-4c42-9b8f-aa772c5b70d4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315336
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1315336 Sample: file.exe Startdate: 27/09/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 6 other signatures 2->55 10 file.exe 1 2->10         started        process3 signatures4 65 Contains functionality to inject code into remote processes 10->65 67 Writes to foreign memory regions 10->67 69 Allocates memory in foreign processes 10->69 71 Injects a PE file into a foreign processes 10->71 13 AppLaunch.exe 15 6 10->13         started        18 WerFault.exe 23 9 10->18         started        20 conhost.exe 10->20         started        process5 dnsIp6 43 146.59.10.173, 45035, 49792 OVHFR Norway 13->43 45 cdn.discordapp.com 162.159.134.233, 443, 49795 CLOUDFLARENETUS United States 13->45 37 C:\Users\user\AppData\Local\Temp\ci.exe, PE32 13->37 dropped 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->75 77 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->77 79 Tries to steal Crypto Currency Wallets 13->79 22 ci.exe 1 13->22         started        file7 signatures8 process9 signatures10 57 Antivirus detection for dropped file 22->57 59 Multi AV Scanner detection for dropped file 22->59 61 Query firmware table information (likely to detect VMs) 22->61 63 4 other signatures 22->63 25 AppLaunch.exe 74 22->25         started        29 conhost.exe 22->29         started        process11 dnsIp12 41 127.0.0.1 unknown unknown 25->41 73 Tries to harvest and steal browser information (history, passwords, etc) 25->73 31 chrome.exe 25->31         started        signatures13 process14 dnsIp15 47 192.168.2.1 unknown unknown 31->47 34 chrome.exe 31->34         started        process16 dnsIp17 39 www.google.com 172.217.13.100, 443, 49468, 49800 GOOGLEUS United States 34->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7485557f72b02e1e7b0a69e07ec721065091640630b1b3a80b0a8ee0c6cdda57/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 14:45:07 UTC
File Type:
PE (Exe)
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oscvk73swaxb46yknhqh5rzbazijczaggcy3hkalbkhobrwn3jlq._file
Verdict:
malicious
Similar samples:
14b4d7213793691cc41dc716747fb46f7dcd47654668426bdc6a0158c8bb0d53
RedLineStealer
22242fbb055277a7b7e7d8bd5c0ac4ecf84ebeee3d1c45cc4b564534d260d099
RedLineStealer
696dd89be3f66d9fd15ebe1093cc5827671908ff2dc090e9448ea28582502e5e
RedLineStealer
706224d01959812281290adc2f43521e5d38d0c3a556b381b8cbac2c2aa90e82
RedLineStealer
7fd998d13977acd53b1405ad855eb5bd034062bebd4b345b22f58697d0936bc9
RedLineStealer
dd3fae3045681535604f7ef10cf206d8a09464540585f6ed28ed94dd60e29e5e
RedLineStealer
e63afd55cb08e98daad895ad35c97d4bb9729066db635145d6d9e8d699f8876a
RedLineStealer
e6bf0f01bd6fe616d8f3f65fdf8c1fead831e5607a406a256661b0d9ab0098b6
RedLineStealer
f2a6c62b06c59d6abb71c11fd40a8fb32bbd2e920332ec4b38dee3ce2a6f2d55
RedLineStealer
+ 8 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer spyware
Link:
https://tria.ge/reports/230927-r4qmsscg25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
146.59.10.173:45035
Unpacked files
SH256 hash:
d745dac98cb7c0a417f01ec7a23d2dcb1d34105ec4cd054980ddc67f9127a1a9
MD5 hash:
d9a7b891bedf6fc8ba0febfff3f2fca8
SHA1 hash:
8856122eeb4d81ece50a78703c759278dee47873
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1a2eda53-d260-4ad7-ba2a-4daaf4db7582/
Parent samples :
0d8c4cfe4ce016aee96975447b66763f4297a212ca3a6627c79f28cbcd5752e8
706224d01959812281290adc2f43521e5d38d0c3a556b381b8cbac2c2aa90e82
7485557f72b02e1e7b0a69e07ec721065091640630b1b3a80b0a8ee0c6cdda57
9beecd87678c6e4a2b9b67bbc4dd6d19bdf6f57979e8767a078d9b1c92261ecf
34bdbd14e1d6cb007b01e6c63a2657d0bfd7a1aebbde88a934e81d0ad5b4dde3
SH256 hash:
7485557f72b02e1e7b0a69e07ec721065091640630b1b3a80b0a8ee0c6cdda57
MD5 hash:
bba6355ebedd92c3517ac7697e4055dd
SHA1 hash:
99045594d27729c7d70f953e1418153a583fdb02
Link:
https://www.unpac.me/results/1a2eda53-d260-4ad7-ba2a-4daaf4db7582/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7485557f72b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7485557f72b02e1e7b0a69e07ec721065091640630b1b3a80b0a8ee0c6cdda57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/451619/

Comments