MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa
SHA3-384 hash: e21dcccf7a9456b90fba7f646a2eaf6ff9a9ffa5cd97480039ff639f638140ba40442af7a03f11494b173dbd2415748c
SHA1 hash: 3ff51146d65d17bbe5eec286349be33c2b6c7567
MD5 hash: cacccd6f1c391ed9f617931181b752d6
humanhash: apart-papa-venus-vegan
File name:cacccd6f1c391ed9f617931181b752d6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:574'464 bytes
First seen:2022-03-03 22:21:51 UTC
Last seen:2022-03-03 23:46:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:hU7kB6QLxsqV0vMC69SFQS03ULaHNqrxlKIQNoZ+YXWP:hskB5ViQAkEaHNYK3ie
Threatray 1'530 similar samples on MalwareBazaar
TLSH T1A6C433DED389B852C3CF15B4BC4CBE62A5C18920ACE0B554B1F811BBDD5C4F2C6198AE
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.55.169.112:34175

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.55.169.112:34175 https://threatfox.abuse.ch/ioc/392378/

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2022-03-03 21:01:46 UTC
Tags:
evasion trojan socelars stealer loader rat redline phishing opendir vidar
Link:
https://app.any.run/tasks/494e113a-424f-4f4f-aac0-66617da0516b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247131/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebd67bfb-a01f-4b3d-ba7a-39b685f80572
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950437
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 22:22:11 UTC
File Type:
PE (Exe)
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oyc2lu2vsqo56rssok6tcwb4evcyjns3emga7z5jhohyq7c26ova._file
Verdict:
malicious
Similar samples:
1635567f96d69d53a64c49fb4a8cb5d65663d545f4ae4ea7c6465b49e4c297f4
RedLineStealer
4b53dc815775a5f6d377218f9bee6b102d49f5dfc678f5a939ec2e0be0890e4b
RedLineStealer
59131e55898be4de6efa846f46a69f71e7ab941e6b0e3f6fc01b80693d68ea44
RedLineStealer
5b54867f600777e8cec30c3386a3d42f08da4e1a3a4e636f135e25e2d9850603
RedLineStealer
6489e500f911c3fb5d0e86b9b0723b051a0973538001cac94cbe32b597f8b0f1
RedLineStealer
675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542
RedLineStealer
7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
RedLineStealer
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
RedLineStealer
9f6e71649662dd86ed3b65a8d20ad8c21971cb8087d14eeb34449f04b573b737
RedLineStealer
ae92d01c510158dba98ea9b8b5dabf08fd5ab9bb8da6f9175fe455198ea2e1da
RedLineStealer
+ 1'520 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-198j8scfe9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
796e1a044411dc07873d67c0a954a96bf63156b64db3ebe7749e5605080520ce
MD5 hash:
d23b01767a52d9efd7dd2a5e9d86e68c
SHA1 hash:
b1a618e7aa824ae2607070609fb1926385c50649
Link:
https://www.unpac.me/results/3f79928b-89d0-402f-aff7-a6eb6d607ceb/
SH256 hash:
c8c0a37d4a26e9cbdaf7b5b0a904b7568fdcc817d247e7be903c3008e442a575
MD5 hash:
dcb0c4793897baa280dfde4836128b3a
SHA1 hash:
89bb9a0b4267f97dbd369eb7ceeaac70bb54718d
Link:
https://www.unpac.me/results/3f79928b-89d0-402f-aff7-a6eb6d607ceb/
SH256 hash:
7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa
MD5 hash:
cacccd6f1c391ed9f617931181b752d6
SHA1 hash:
3ff51146d65d17bbe5eec286349be33c2b6c7567
Link:
https://www.unpac.me/results/3f79928b-89d0-402f-aff7-a6eb6d607ceb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7605a5d35594/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1828281/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/247131/

Comments