MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c5a70a623e9c73461fd0e42aa7766586aab4d23036d64aeddc4b28d64669094. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c5a70a623e9c73461fd0e42aa7766586aab4d23036d64aeddc4b28d64669094
SHA3-384 hash: f4728dcb3ee0878ed53a4b124d6270d7a6dd6212a523de3837f47752c2cfb6fd3a2b1bb21ddc177b48e1d18615996812
SHA1 hash: ed74533f1a4d41beb9157109ce1cf62b5e92f8a1
MD5 hash: c7b1a27944871b139dc253c5cfb4cf6f
humanhash: sixteen-diet-asparagus-cardinal
File name:RunGame.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'529'152 bytes
First seen:2022-07-08 19:16:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dc28ef949f54ad98c715895ecc34cff (79 x RedLineStealer, 2 x Formbook)
ssdeep 98304:BGhJLDrg6W0GXmaFqi0Hq80WHKUPPClweUPGA3tQI6Q9TNBAT7h:khtg9/XmtFK80Wq0PCl7ACI6QhTOd
Threatray 6'805 similar samples on MalwareBazaar
TLSH T1F72633A211867D2EC25741BBB09D9D60D7A11C3E62EC3E1FD3FA41A172414E4CEEB17A
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
369
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://bit.ly/34EVBhp
Verdict:
Malicious activity
Analysis date:
2022-02-23 23:34:14 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4be11ef5-4306-4edf-8cc6-75aa4557bab1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285710/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.FakeDisbalancer-9941660-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed racealer
Link:
https://www.filescan.io/uploads/62c882b111764e36f823ef6e/reports/5c50d523-69fc-43e9-9226-1911399746cc/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f2109a8-6fab-4196-9b65-513f3217ea6f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1027530
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c5a70a623e9c73461fd0e42aa7766586aab4d23036d64aeddc4b28d64669094/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 03:04:40 UTC
File Type:
PE (Exe)
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=prnhbjrd5hdtiyp5bzbku53glbvkwtjdanwwjlw5yszi2zdgscka._file
Verdict:
malicious
Similar samples:
2611cbdb42c4bcff5f9d1027c2b72e38ac6dd5fc76712ebd7d56d833077072ff
RedLineStealer
44da6217702a77c01ed9735e67d6fffee11de2298aaaea899ddbc39da26460e0
RedLineStealer
9c126bfde9969c0d34230993dc33d233ac66eec831fd35204d4b7faf1f7af990
RedLineStealer
d37f2546cea1ed8a8f85d1f6274f7a59869ded7f56ecc6af9c123dd76fd10d70
RedLineStealer
f171414a07b968fde0474e2f9d7898221c62fb63ce5ec555efa6391e5ab3e840
RedLineStealer
+ 6'795 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/220708-xzcg9shab4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.253:34189
Unpacked files
SH256 hash:
9ba9fbfc4dd251143c2319b404a89506a17860b943f02146597bbb5f3efd1dca
MD5 hash:
2294a96d653505b80122f19efbe8871e
SHA1 hash:
47ff17d2487b555d7064d72d0e3ffcefecfc8a40
Link:
https://www.unpac.me/results/3d8b8ed1-21e5-47d9-bf52-aa8e74ddf2e9/
SH256 hash:
62bbdd329789a62c9a633c7f8be3078afc621a2ea584ccdc25e24fb370d59b74
MD5 hash:
a5f79330e5acdff9f7b24ffbeec9db90
SHA1 hash:
4972c86192fb86768e3512264179d6d7c75f0503
Link:
https://www.unpac.me/results/3d8b8ed1-21e5-47d9-bf52-aa8e74ddf2e9/
SH256 hash:
7c5a70a623e9c73461fd0e42aa7766586aab4d23036d64aeddc4b28d64669094
MD5 hash:
c7b1a27944871b139dc253c5cfb4cf6f
SHA1 hash:
ed74533f1a4d41beb9157109ce1cf62b5e92f8a1
Link:
https://www.unpac.me/results/3d8b8ed1-21e5-47d9-bf52-aa8e74ddf2e9/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c5a70a623e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c5a70a623e9c73461fd0e42aa7766586aab4d23036d64aeddc4b28d64669094

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7c5a70a623e9c73461fd0e42aa7766586aab4d23036d64aeddc4b28d64669094

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/285710/

Comments