MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b844e92f23a024459588b88c6a41f652ca2ec0a05da0811e7f60ee866de34d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b844e92f23a024459588b88c6a41f652ca2ec0a05da0811e7f60ee866de34d5
SHA3-384 hash: 70c32053fb22fa1624b3278ea3ba4e6bd7d7898fbde5fb290821703b87583be9b64e1fe3510cb0bf1507d9f7b6b9904c
SHA1 hash: e924f5e741a5ee8df005609d4fa711b7c6150727
MD5 hash: d2dc1e9b225601de70695921b3f340d9
humanhash: pasta-bravo-pennsylvania-pennsylvania
File name:d2dc1e9b225601de70695921b3f340d9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:314'880 bytes
First seen:2021-11-22 00:50:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d1bfe1850bd73f3d3b006c3f4b37a341 (7 x RedLineStealer, 1 x Loki, 1 x DanaBot)
ssdeep 6144:rUfKIDKB6RJOmhmqBq+8Y1mNxr5koKNbjcEwl+cqUh/v:c3DKBAdmqBd8Gm5k3bjc++
Threatray 8'163 similar samples on MalwareBazaar
TLSH T17E64F11277B2C47AF093173124709B718B3F3D326A39015B27A7262EAEF02E15A6D757
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.215.205.135:8634

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.215.205.135:8634 https://threatfox.abuse.ch/ioc/251887/

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d2dc1e9b225601de70695921b3f340d9.exe
Verdict:
Malicious activity
Analysis date:
2021-11-22 00:53:24 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6679edde-b239-4e06-abb4-1e6a27f2b257

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48882f12-57ce-47b1-b487-83543d44bb9a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/893514
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b844e92f23a024459588b88c6a41f652ca2ec0a05da0811e7f60ee866de34d5/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 00:51:04 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=poce5exshibeiwkyroemnja7muwkf3akaxnaqeph6yhoqzw6gtkq._file
Verdict:
malicious
Similar samples:
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
2f5ea90c14a9eff6482a7c7c020b9a65faebf7a98af718a1e3c9a3b2356eb509
RedLineStealer
7be418280356c7dc0384328a50904f3cee364185aa7f99e127e511461cd6db5c
RedLineStealer
b7f734b951368a6d7cea9fe0a58d64e53c8962aea126fa484e8a3592c00ff25d
RedLineStealer
c292fd152f9c1e4d1a0b1c2a5dcaf9ef05b1c3f60494b184aafe471527458783
RedLineStealer
ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868
RedLineStealer
+ 8'153 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:2111 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211122-a7hb6ahfa6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.215.205.135:8634
Unpacked files
SH256 hash:
e7dd9c4ca6fc12e9a3385e89a12b3d35387a97a808fa032c846211096bbf48e1
MD5 hash:
aa3437cdea89ec3857507a1bbfc33f7f
SHA1 hash:
fb2cc3bc662d5050a1937402a0dfa49e7ef54f87
Link:
https://www.unpac.me/results/ce81f3c0-00b1-4912-a4e0-064b7d470aef/
SH256 hash:
15c68e8b4c125237b8bf64b6438b6d304d0cde91f5c82b17246b723752f5228e
MD5 hash:
e0b3b009efe10b6aabf9ddbefbf1c628
SHA1 hash:
c39b4b25a16e7bfea4cc6267b52472f26f89db76
Link:
https://www.unpac.me/results/ce81f3c0-00b1-4912-a4e0-064b7d470aef/
SH256 hash:
8642df7a0e8b71f90b65509d39954f2bc63f15cdf40947f63911bac4b42dffb4
MD5 hash:
7eb3751ce8826a375e717e324cbe5eee
SHA1 hash:
9e17c4afb1786cc046c471fdc674d6af13637b63
Link:
https://www.unpac.me/results/ce81f3c0-00b1-4912-a4e0-064b7d470aef/
SH256 hash:
7b844e92f23a024459588b88c6a41f652ca2ec0a05da0811e7f60ee866de34d5
MD5 hash:
d2dc1e9b225601de70695921b3f340d9
SHA1 hash:
e924f5e741a5ee8df005609d4fa711b7c6150727
Link:
https://www.unpac.me/results/ce81f3c0-00b1-4912-a4e0-064b7d470aef/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7b844e92f23a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b844e92f23a024459588b88c6a41f652ca2ec0a05da0811e7f60ee866de34d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7b844e92f23a024459588b88c6a41f652ca2ec0a05da0811e7f60ee866de34d5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1800537/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207982/

Comments