MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a58fcee265cf80cd826e7de3dbf2c2f4cabf6a49be83edf4acefbdfda59fcec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	7a58fcee265cf80cd826e7de3dbf2c2f4cabf6a49be83edf4acefbdfda59fcec
SHA3-384 hash:	42310626ebeec969a0466954010b198c27030b78ed9414adc48b38ebd8cb622fb144c22ea5afdab18807aeff942e5492
SHA1 hash:	150dc528f63c3b7c4d9c032227ed7e477da3f5a6
MD5 hash:	2797c0df1c61a09de7b58195eb669bb6
humanhash:	sad-fish-coffee-diet
File name:	2797c0df1c61a09de7b58195eb669bb6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	456'192 bytes
First seen:	2021-11-21 16:00:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f4dd2fc3c2bc0f7f37512a211d153f86 (2 x Smoke Loader, 1 x DanaBot, 1 x CryptBot)
ssdeep	6144:E8CPprphRz4a1N0O7U9nhsUvCaldRAikiEgxNd:E8CRrdl7mhsUvC6HACEgx/
Threatray	14 similar samples on MalwareBazaar
TLSH	T1D7A4BE04E7E1C030F1B612F889759368B53F7EA1BB2490CB52D52AEE5634AE1ED7131B
File icon (PE):
dhash icon	1412b2e068696c46 (3 x Smoke Loader, 2 x RedLineStealer, 1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2797c0df1c61a09de7b58195eb669bb6.exe

Verdict:

Malicious activity

Analysis date:

2021-11-21 16:03:20 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/aca56b8b-1abb-45a4-a304-484f0f671fde

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/619a6d40398e2553d2ffe1b8/reports/549ae7f9-49cb-4677-bfe1-19685a53469e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d83d3686-7263-423d-a4a1-152ab43859bc

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/893360

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a58fcee265cf80cd826e7de3dbf2c2f4cabf6a49be83edf4acefbdfda59fcec/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-11-21 16:01:06 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

Label(s):

gozi

RedLineStealer

05641dad8e7b04c551c16d409b33d6360facbbb27bd14074a0115d2159a35474

RedLineStealer

2c1cfaeb1cb2168477f7e90e671a7ba182cb95b4845c0cf4c44f5809edcd5cc2

RedLineStealer

2d4ec0cb2534abb738c64bc285b1b5529fdde4f7a4055bb9b4e11f01ee065124

RedLineStealer

72cd0e35a4da3306aa2861e670dfe19c6ee8fee9ef574787492f39e5bfa570a5

RedLineStealer

be39a79adbc892815b56c1734f0af24ec909a58616a248b06e34de82de92a976

RedLineStealer

cc87729bab09fd3d13ceb36c1ea3ed112e7c1713a640ac4533c6f60f1a9640ba

RedLineStealer

ed7fa17e5d3bbbae3953490a2b134cd56ee3107bd708a3c498bd8297dc2df5f1

RedLineStealer

f1fb6f4482571a4429e7ef7c75595303ac6c8367023d725dd3021db1015c3221

RedLineStealer

+ 4 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:updbdate discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211121-tf7yaahae7/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.56.146.64:65441

Unpacked files

SH256 hash:

bf89bbeb9c8c26b97cabafc37f82a7a8c17beaa9c4c2022a0fa97e192c2e5341

MD5 hash:

4f7919e72580d05f83c2efdf5be272bf

SHA1 hash:

a32da4d24a60c85651f492ddec81c50a947bc7f7

Link:

https://www.unpac.me/results/adf58c87-76a5-4e49-a8fa-4d7000e3c10a/

SH256 hash:

d5acec00fe9f8896cd6965ac70d8576a76b418f28d1edc6d12b802a6c4b65efa

MD5 hash:

2691eb4069f4e0da4cfa1c39758009ec

SHA1 hash:

9a4684a2b771e1fcbe0572d15a21bf320a450ebf

Link:

https://www.unpac.me/results/adf58c87-76a5-4e49-a8fa-4d7000e3c10a/

SH256 hash:

05c03b24ee6a0fdc40fbe8a6db1f9501404c87376ca8876fd304be4c16ac0b74

MD5 hash:

e70dcfa399c1dfdb8f243d00eea36284

SHA1 hash:

09437d7f193419585d3af8a33ec09eb1c3e9c818

Link:

https://www.unpac.me/results/adf58c87-76a5-4e49-a8fa-4d7000e3c10a/

SH256 hash:

7a58fcee265cf80cd826e7de3dbf2c2f4cabf6a49be83edf4acefbdfda59fcec

MD5 hash:

2797c0df1c61a09de7b58195eb669bb6

SHA1 hash:

150dc528f63c3b7c4d9c032227ed7e477da3f5a6

Link:

https://www.unpac.me/results/adf58c87-76a5-4e49-a8fa-4d7000e3c10a/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7a58fcee265c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a58fcee265cf80cd826e7de3dbf2c2f4cabf6a49be83edf4acefbdfda59fcec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 7a58fcee265cf80cd826e7de3dbf2c2f4cabf6a49be83edf4acefbdfda59fcec

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1632262/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/207907/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample