MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ccf52e16a13ed7087427bcdb05c85971b0d9796a5884287573166da46ad50f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ccf52e16a13ed7087427bcdb05c85971b0d9796a5884287573166da46ad50f1
SHA3-384 hash: b7ec1365cfd81fad16e026739430d77ddc03aa545e6af34ba81a0e92b6f875fdde75f7187ed76fd2fe6397215d78a845
SHA1 hash: ced576b927cf968a52f59ae8049371e239c4a81a
MD5 hash: 39cfe46a2ddbd46185473f1876299542
humanhash: two-mississippi-zulu-mockingbird
File name:39cfe46a2ddbd46185473f1876299542.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:964'608 bytes
First seen:2023-09-27 01:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:7yn3eMPGR1Xpfd+5UoSGCm64VJFT9w5XMZuMuc0o:un3RuRdBdUXCm64VJR9wkuMt0
Threatray 1'400 similar samples on MalwareBazaar
TLSH T1882522A2ABE88223D8B417B01CF613D32935FC698970D72A2B82DD5F4E736919531773
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.91.124.55:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
39cfe46a2ddbd46185473f1876299542.exe
Verdict:
Malicious activity
Analysis date:
2023-09-27 01:13:43 UTC
Tags:
stealc stealer redline
Link:
https://app.any.run/tasks/29a22177-9508-4c0b-a8fb-90eeaf411a5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451376/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/6513812683a0c6425d004cdf/reports/86abfdbd-40a5-4446-bf70-4db5ab3bd8ea/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/7ccf52e16a13ed7087427bcdb05c85971b0d9796a5884287573166da46ad50f1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/383bf6c0-9340-4c51-aa9f-e009eecfb823
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314869
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314869 Sample: a9tR3VX7x8.exe Startdate: 27/09/2023 Architecture: WINDOWS Score: 100 94 Snort IDS alert for network traffic 2->94 96 Multi AV Scanner detection for domain / URL 2->96 98 Found malware configuration 2->98 100 11 other signatures 2->100 12 a9tR3VX7x8.exe 1 4 2->12         started        15 p1sjitvcK1Iffqo.exe 2->15         started        18 rundll32.exe 2->18         started        20 2 other processes 2->20 process3 file4 72 C:\Users\user\AppData\Local\...\x0775105.exe, PE32 12->72 dropped 74 C:\Users\user\AppData\Local\...\k1987763.exe, PE32 12->74 dropped 22 x0775105.exe 1 4 12->22         started        130 Tries to harvest and steal browser information (history, passwords, etc) 15->130 signatures5 process6 file7 58 C:\Users\user\AppData\Local\...\x2994782.exe, PE32 22->58 dropped 60 C:\Users\user\AppData\Local\...\j1613084.exe, PE32 22->60 dropped 114 Antivirus detection for dropped file 22->114 116 Machine Learning detection for dropped file 22->116 26 x2994782.exe 1 4 22->26         started        signatures8 process9 file10 62 C:\Users\user\AppData\Local\...\x1159821.exe, PE32 26->62 dropped 64 C:\Users\user\AppData\Local\...\i5851329.exe, PE32 26->64 dropped 118 Antivirus detection for dropped file 26->118 120 Machine Learning detection for dropped file 26->120 30 x1159821.exe 1 4 26->30         started        34 i5851329.exe 26->34         started        signatures11 process12 file13 76 C:\Users\user\AppData\Local\...\h9952059.exe, PE32 30->76 dropped 78 C:\Users\user\AppData\Local\...\g6164032.exe, PE32 30->78 dropped 132 Antivirus detection for dropped file 30->132 134 Machine Learning detection for dropped file 30->134 36 g6164032.exe 30->36         started        39 h9952059.exe 4 30->39         started        signatures14 process15 dnsIp16 102 Antivirus detection for dropped file 36->102 104 Machine Learning detection for dropped file 36->104 106 Contains functionality to inject code into remote processes 36->106 112 3 other signatures 36->112 42 AppLaunch.exe 18 36->42         started        47 WerFault.exe 21 9 36->47         started        80 77.91.124.55, 19071, 49797, 49798 ECOTEL-ASRU Russian Federation 39->80 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->108 110 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->110 signatures17 process18 dnsIp19 82 5.42.92.211, 49794, 49800, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 42->82 66 C:\Users\user\AppData\...\p1sjitvcK1Iffqo.exe, PE32 42->66 dropped 68 C:\Users\user\AppData\...\fs6ZItTQPwS62PCA, SQLite 42->68 dropped 70 C:\Users\user\...\fs6ZItTQPwS62PCA.dll, PE32 42->70 dropped 122 Found many strings related to Crypto-Wallets (likely being stolen) 42->122 124 Tries to harvest and steal browser information (history, passwords, etc) 42->124 126 DLL side loading technique detected 42->126 128 Tries to steal Crypto Currency Wallets 42->128 49 p1sjitvcK1Iffqo.exe 3 42->49         started        52 cmd.exe 42->52         started        file20 signatures21 process22 signatures23 84 Antivirus detection for dropped file 49->84 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->86 88 Machine Learning detection for dropped file 49->88 90 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->90 92 Uses schtasks.exe or at.exe to add and modify task schedules 52->92 54 conhost.exe 52->54         started        56 schtasks.exe 52->56         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ccf52e16a13ed7087427bcdb05c85971b0d9796a5884287573166da46ad50f1/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 01:11:05 UTC
File Type:
PE (Exe)
Extracted files:
154
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pthvfylkcpwxbb2cppg3axefs4nq3f4wuweefb2xgftnurvnkdyq._file
Verdict:
malicious
Similar samples:
0dfc65d1747e97aa8f387bac127f1839359352cefc169e008f58de2ff06dc49b
RedLineStealer
12da01e0dd4183f27ac316d4e8889a249df778610dc574fd624e68e287693146
RedLineStealer
4257603f3ebc986c59d5dd7ca93f69d52a4c673c1eae2c2e53eb7060cb15336c
RedLineStealer
672b840237ed952b8abaff3890838639cdfa63a4fac4423b5ef604808bfe8a7e
RedLineStealer
7d99eb634d001b9dc8667d34cf8f0ae1a067e69dbd366e63af156a592017d254
RedLineStealer
a84a64e85f64f52e37b27f2dfd8c69755e12f5e760b900425809a864cfb784fd
RedLineStealer
abde6bc0712d53028c2c085e2564bf5e06bd348396a06f17712ff300e6e21790
RedLineStealer
d331612139ce264eb3770d828b8242a1e04e8a81af38fc3300647deb6a896060
RedLineStealer
eef26490e77fe02338150f05b2134d053736d33b448d2e5309778921cd7cf610
RedLineStealer
fa96f32dffc26c286f041c805998e70bb94f3ece02d1e791b5b604880aba297c
RedLineStealer
+ 1'390 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:mystic family:redline botnet:laura infostealer persistence stealer
Link:
https://tria.ge/reports/230927-bjx85sgb82/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Mystic
RedLine
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
deb3dab686071c8388d00475e54acaf8581d8b07b0bb1b7fa75f885d630fc93d
MD5 hash:
b599cdea0f6193df9f878695bef9b96c
SHA1 hash:
57c744adfeaad4e0aee5c70bd722608a06e5eb89
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/da255a8a-7f0e-43f3-a644-2a0c60a68798/
SH256 hash:
5e360ac0367fc2cbdc2ed1a3b7542d04ab2be72ffaaed3f9ebc0122e1d6ac4ef
MD5 hash:
2b6682e0e689531914f8e1a61258fee3
SHA1 hash:
a70e9b690bce9f9688bf8077203f36ee8deb17f2
Link:
https://www.unpac.me/results/da255a8a-7f0e-43f3-a644-2a0c60a68798/
SH256 hash:
436288c4d0d8b8e0a831aa31b4248b1336e4cc801b0871658de0c9b9b3e34e6b
MD5 hash:
994fa6ac1f95e121f4b3e96a251786dd
SHA1 hash:
d291504be3b8ffe1c21c992b8cb6012b8f384240
Link:
https://www.unpac.me/results/da255a8a-7f0e-43f3-a644-2a0c60a68798/
SH256 hash:
36fe88ef0b5c6b1e9cb104441ed0106c8792f9485eb15067dc9bb9654d736f28
MD5 hash:
ed9b9acfcfbbb6888bf485b31a95df62
SHA1 hash:
e16bcaf3a2870c53c15a8c5c06f2a3870eedec2e
Link:
https://www.unpac.me/results/da255a8a-7f0e-43f3-a644-2a0c60a68798/
SH256 hash:
7ccf52e16a13ed7087427bcdb05c85971b0d9796a5884287573166da46ad50f1
MD5 hash:
39cfe46a2ddbd46185473f1876299542
SHA1 hash:
ced576b927cf968a52f59ae8049371e239c4a81a
Link:
https://www.unpac.me/results/da255a8a-7f0e-43f3-a644-2a0c60a68798/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ccf52e16a13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ccf52e16a13ed7087427bcdb05c85971b0d9796a5884287573166da46ad50f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7ccf52e16a13ed7087427bcdb05c85971b0d9796a5884287573166da46ad50f1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712825/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/451376/

Comments