MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b127d520696b1e8ea633c47770a05b3c06e5215911a91241ecebe297b9ef395. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 4 File information Comments

SHA256 hash:	7b127d520696b1e8ea633c47770a05b3c06e5215911a91241ecebe297b9ef395
SHA3-384 hash:	d393c13ceb4c25c588c1edc43b995afa3a07b467df1816726ce4dccc1939aa8bf334c18c00ab96dff164acaa683d9891
SHA1 hash:	4bc0ddcb3c99c3ca6614346118574a04abe99ad7
MD5 hash:	9822358cdf8f3d4fded3bb148de84c58
humanhash:	mobile-echo-sweet-shade
File name:	7b127d520696b1e8ea633c47770a05b3c06e5215911a9.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'324'544 bytes
First seen:	2021-11-19 11:31:57 UTC
Last seen:	2021-11-19 13:54:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep	24576:deqttqnvYFBI3bDzpJVzjHg4/MFZqZVwlGEQ3ZxQGY5kEaHNYK3iV4aNv:8YavDLDtJhAAMvqolgOGaNa0tNv
TLSH	T1CB5533AA81802D78EC4A15707D3BCD4BD00ED66C9BCCD79EE6A6029F4F898095FE4774
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
77.232.40.51:20166

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
77.232.40.51:20166	https://threatfox.abuse.ch/ioc/251021/

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7b127d520696b1e8ea633c47770a05b3c06e5215911a9.exe

Verdict:

Malicious activity

Analysis date:

2021-11-19 11:44:24 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/ef201f92-2730-4da5-98fd-65c3ade6c4e9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Creating a window

Searching for the window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm packed

Link:

https://www.filescan.io/uploads/61978b3643e8f62b669a4cd6/reports/cd3585c3-fc2a-43f6-9901-7c20e387ea4c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

IntelRapid

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cddc0456-24e6-4bbe-a0e6-214c9da83493

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/892608

Signature

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b127d520696b1e8ea633c47770a05b3c06e5215911a91241ecebe297b9ef395/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-19 11:32:06 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pmjh2uqgs2y6r2tdhrdxocqfwpag4uqvsenjcja6z27cs6466okq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:zhiga19 evasion infostealer spyware suricata trojan

Link:

https://tria.ge/reports/211119-nna1maabgp/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Looks up external IP address via web service

Checks BIOS information in registry

Drops startup file

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

77.232.40.51:20166

Dropper Extraction:

https://antivirf.ru/big.exe
https://antivirf.ru/biga.exe

Unpacked files

SH256 hash:

b937da587055c7e46518e673627a1d1e66e3ab1b6226907097364e690377891d

MD5 hash:

151e51da025a0aa59b378da2ca755da4

SHA1 hash:

1ebb1788598eae4de8dc03b7cb421da76683c438

Link:

https://www.unpac.me/results/1e0103ac-96ed-4dd2-ab9a-0f694ee8841b/

SH256 hash:

7b127d520696b1e8ea633c47770a05b3c06e5215911a91241ecebe297b9ef395

MD5 hash:

9822358cdf8f3d4fded3bb148de84c58

SHA1 hash:

4bc0ddcb3c99c3ca6614346118574a04abe99ad7

Link:

https://www.unpac.me/results/1e0103ac-96ed-4dd2-ab9a-0f694ee8841b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7b127d520696/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7b127d520696b1e8ea633c47770a05b3c06e5215911a91241ecebe297b9ef395

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/207594/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample