MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f
SHA3-384 hash:	01241c008a51733c2580316d4f18836dead0793bc4204859dddb4fbfa0a13acc19479650495215786061238d2e677d19
SHA1 hash:	5772bd98e8da65cb1339e45074b0a6eaf07219a6
MD5 hash:	936cb3023cd500e07e9ad5dda9996c3f
humanhash:	failed-seventeen-cola-comet
File name:	lux3.bin
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	172'544 bytes
First seen:	2023-07-19 03:43:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:obuR0C10WqlVZRGWyuHrTog/XzMXMQ8ys88888888888888888888888g888888T:PR0feoog/ZpyqVEUCidWT8F58e8hQ
TLSH	T17CF3D598364B667EC97F887D9C604CD0667CACA61242A7478C8EF0E87D3B7919F150F2
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	10f0d4d0d4d4cc33 (299 x RedLineStealer, 1 x N-W0rm, 1 x LaplasClipper)
Reporter	JAMESWT_WT
Tags:	exe FruitMiX RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://fundovidaips.com/download/File_pass1234.7z

Verdict:

Malicious activity

Analysis date:

2023-07-18 20:16:02 UTC

Tags:

privateloader evasion opendir loader risepro stealer payload fabookie redline rat amadey trojan gcleaner smoke povertystealer arkei vidar

Link:

https://app.any.run/tasks/a8e8c813-2446-4c32-98bd-939115fbad34

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/424438/

Detection(s):

Win.Packed.Lazy-9958163-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

86%

Tags:

confuserex lolbin masquerade packed packed replace stealer

Link:

https://www.filescan.io/uploads/64b75c04fd9e198dc115f430/reports/bfa227da-4af7-4169-82f8-ec25ea5408a9/overview

Verdict:

Malicious

Labled as:

Dacic.F96EFD6C.A.Generic

Link:

https://www.hybrid-analysis.com/sample/7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/830809e7-4510-45de-a590-e43c337bbd3a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1275618

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f/

Threat name:

ByteCode-MSIL.Trojan.RedLine

Status:

Malicious

First seen:

2023-07-08 08:33:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=prjtg5biroxcj5yokhe3odbxf2ozd7vcyuooqsid6r7ko2p3va7q._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:lux3 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230719-eagrksgc8z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

176.123.9.142:14845

Unpacked files

SH256 hash:

7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

MD5 hash:

936cb3023cd500e07e9ad5dda9996c3f

SHA1 hash:

5772bd98e8da65cb1339e45074b0a6eaf07219a6

Detections:

redline

Link:

https://www.unpac.me/results/d844e82b-5da9-42a8-a420-4e1b0cf4339d/

Parent samples :

d8244ef0cb7ee70181f80484cff739b6f1458a2e9f2836ad00f445c3b863ba25
c4d252efb23f087a2c2efdb8bc64b97a9976c0f85995a50e18791f4538fac454
4a9c93e088da7f15b571b3595624ae59f112d3f532c8265178d4cc71f7ddd8b6
2d873fb5e5df1ecafccb3eeaa6dc1835676d7f43938ff37a623285a086d6208d
187a40c80f0e837cdce06aae645e185e8da0b82f7ef922f83cff3e4fa27ac421
3c979ae1af88397dc5be34fea28050d85cd283898d71e52c8ad1db05c407458b
b6f77ab64fad140fa89c1ce71cff87397de1e28bfa747690ddb5b28a7e46f461
12e2b32428e957fdb6bc42d0e99a84a2a4e9dde411b356a0ff45bf6b66dd9d33
705dae41f74ff7fa9f5d4474d3474422d69e20bdebb9c36c020978de8ce48368
625423357c26d7445624d49b25dd0debe94b586f08cb2afb746d1498207477a5
67b9b74f647846d67ef5be1e4aba44e74cc62e9e401ca9f8e5bb695daa15e611
31b8115712aa50566e40a5246b9415adb02bb49679ddee79e427869c607838cb
277a999bab7bdb1a609efaf82a6c33a871c8c5334cec9c48241878d060540136
3a054bcc44b57c0cc62512768e7cfe21159d0530d775ae7d04c5b4eeea17c117
b7cb338abb490b1cc110d044049d5b5402bdaf411989d84bd739b7fd6974571f
824802b8de1d5007ebfd0449d1131ef31aec0b5f84fc39fe721fecb9b116007f
d1e74b5540f6ee93076ebff16db8593decd2364f4a4465d4ef7f4087f7c8119c
0017cc9e58298216af63de0f6bbb0a4a369d4b96a5dc52f6f25d47867a1ca346
665a12c39806edc87811291d7c054ccd07ada0f7da775cf90b6473b2a4457586
b106631de5708f0c7db74edc5956c0b438759a051a4624664124b76ee2f29356
fc412bb40a7d2ca18ec93170fb61b7e8db762db7415592f19bc367402f6d550e
73482d57d8d95b8f24345ab5a962a845f0b05f455ce4037a716df4ae2ff275c0
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb
3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f
2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
861cfaafee3a7a3a67bf5d707b193c7396811c8c7c22136886e2bb0513e4fd66
28a2cb032410d19178b1635a246f1306644ac10838f445495b9e57fdf3718e3a
e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7c533374288b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/424438/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample