MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7971b8802f097e62e712558e0bea53360c9df9417647058583f10d5e7cf208f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7971b8802f097e62e712558e0bea53360c9df9417647058583f10d5e7cf208f1
SHA3-384 hash: 590200d1d3185b2a9aa4d3e3d8c73dbcdc06834d1a4ad576c86df7030be4396694835fb891b39d90b5031bbf93cd941e
SHA1 hash: 8602387731421a9fadd6a1ccd2912d3398930af7
MD5 hash: 0fd906e99af5b05ac927d837eab75da2
humanhash: artist-oxygen-neptune-green
File name:0fd906e99af5b05ac927d837eab75da2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'056'638 bytes
First seen:2022-05-06 09:16:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:pAI+KLKC3I/NtC83/XigLgQ0Lq2AgrPCKYxCw3eN5:pAI+KLKaKuafgrCuN5
Threatray 8'035 similar samples on MalwareBazaar
TLSH T18F952366B64681B6D0620A76088BD779FE37BB481F3D55CFB3EC0E2C8D332452658396
TrID 86.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.6% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.7% (.SCR) Windows screen saver (13101/52/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.252.21.122:12851

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.252.21.122:12851 https://threatfox.abuse.ch/ioc/548413/

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0fd906e99af5b05ac927d837eab75da2.exe
Verdict:
No threats detected
Analysis date:
2022-05-06 09:19:22 UTC
Tags:
installer
Link:
https://app.any.run/tasks/744e7c10-4866-4551-ada8-bb6fb04961d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269050/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Modifying a system file
Running batch commands
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Launching a process
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16523/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive fingerprint greyware overlay packed redline shell32.dll
Link:
https://www.filescan.io/uploads/6274e79340f9dd937ee8d54c/reports/e4af1c6f-85dd-4daf-a84e-8f46ca459bcf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0448659-7aa0-4f19-a1fb-2847d177c753
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989005
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses regedit.exe to modify the Windows registry
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 621501 Sample: Ve1sfcNb49.exe Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 53 www.google.com 2->53 55 gstaticadssl.l.google.com 2->55 67 Snort IDS alert for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 9 other signatures 2->73 8 Ve1sfcNb49.exe 16 13 2->8         started        11 explorer.exe 12 2->11         started        signatures3 process4 file5 41 C:\Program Files (x86)\...\Updater.exe, PE32 8->41 dropped 43 C:\Program Files (x86)\...\Uninstall.exe, PE32 8->43 dropped 45 C:\Program Files (x86)\...\MemoryCleaner.exe, PE32+ 8->45 dropped 13 Updater.exe 5 8->13         started        17 cmd.exe 1 8->17         started        19 MemoryCleaner.exe 8->19         started        21 chrome.exe 15 380 11->21         started        process6 dnsIp7 57 5.252.21.122, 12851, 49801 FIRSTDC-ASRU Russian Federation 13->57 75 Tries to harvest and steal browser information (history, passwords, etc) 13->75 77 Tries to steal Crypto Currency Wallets 13->77 79 Uses regedit.exe to modify the Windows registry 17->79 24 explorer.exe 17->24         started        26 conhost.exe 17->26         started        28 regedit.exe 17->28         started        30 regedit.exe 17->30         started        59 memorycleaner.kilho.net 13.124.183.140, 443, 49747 AMAZON-02US United States 19->59 61 192.168.2.1 unknown unknown 21->61 63 192.168.2.5 unknown unknown 21->63 65 239.255.255.250 unknown Reserved 21->65 35 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 21->35 dropped 37 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 21->37 dropped 39 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 21->39 dropped 32 chrome.exe 21->32         started        file8 signatures9 process10 dnsIp11 47 iplogger.org 148.251.234.83, 443, 49751 HETZNER-ASDE Germany 32->47 49 www3.l.google.com 142.250.184.206, 443, 49769 GOOGLEUS United States 32->49 51 13 other IPs or domains 32->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7971b8802f097e62e712558e0bea53360c9df9417647058583f10d5e7cf208f1/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 06:36:29 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfy3rabpbf7gfzyskwhax2stgygj36kbozdqlbmd6egv47hsbdyq._file
Verdict:
malicious
Similar samples:
03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4
RedLineStealer
06db093414f42d7669e57d31a8d563c71018e8d75c886244b77a6a9bc86b6fdb
RedLineStealer
13e353b5aaf0a49286d0148954759cf4eb844087f28bf0be58f9fe0f8c9df947
RedLineStealer
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
RedLineStealer
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
RedLineStealer
bf857a8b64347b8df2cced82c84b9db3bb3139d481bead89e641e819cce1d4d3
RedLineStealer
+ 8'025 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:xxx discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/220506-k831cscddl/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
5.252.21.122:12851
Unpacked files
SH256 hash:
832a3d49c76826adfa13d91d33b07eddc0f3372efba62cd9ab7bffcd5e88a51d
MD5 hash:
8136bf40f8e3bfb3a1c8eaf31b470dee
SHA1 hash:
cdf32f6c907bb1f92538b6bdccb65e121d9af186
Link:
https://www.unpac.me/results/140b77e1-13b6-4e88-a88e-40163c69dbe5/
SH256 hash:
8178f38652a8f098b3b89f40058f2eb8dfd801d721bcb009d7c745d092aeef18
MD5 hash:
f240ee156e4449475b680b24af00c59d
SHA1 hash:
bf54dbdec1c9b14ebc7697355f5a054c1dab0e3f
Link:
https://www.unpac.me/results/140b77e1-13b6-4e88-a88e-40163c69dbe5/
SH256 hash:
464e3c70cbd4185d85a58a2226d0cab6eb84f569d9f02c584105f3b1f92c497b
MD5 hash:
3f26ad82619517e1dd941ffc4aa39102
SHA1 hash:
82e8accedf9adf636c30a7d67c1f2aad54d18e8e
Link:
https://www.unpac.me/results/140b77e1-13b6-4e88-a88e-40163c69dbe5/
SH256 hash:
7971b8802f097e62e712558e0bea53360c9df9417647058583f10d5e7cf208f1
MD5 hash:
0fd906e99af5b05ac927d837eab75da2
SHA1 hash:
8602387731421a9fadd6a1ccd2912d3398930af7
Link:
https://www.unpac.me/results/140b77e1-13b6-4e88-a88e-40163c69dbe5/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7971b8802f09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7971b8802f097e62e712558e0bea53360c9df9417647058583f10d5e7cf208f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269050/

Comments