MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cf017b257f3d2604cc7f191baa47989a27ade9a9bba3b28fc1bacdc4afedc0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	7cf017b257f3d2604cc7f191baa47989a27ade9a9bba3b28fc1bacdc4afedc0b
SHA3-384 hash:	8712730e3506426d41a14cb8d6ede4739cf162b31379100e42c271156de0d34da322c05817d8fa37a200a2995fdda4e9
SHA1 hash:	d9a13b20a66bc02ed9c0aa35044f0e83ad8c94b5
MD5 hash:	ab5f8fe436203eaf3bcd09d4ab9c7c55
humanhash:	enemy-angel-pennsylvania-white
File name:	7cf017b257f3d2604cc7f191baa47989a27ade9a9bba3.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	387'072 bytes
First seen:	2022-03-18 17:00:57 UTC
Last seen:	2022-03-18 18:45:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cdfd67576839b3ef23c2c4c35e8861a (2 x RedLineStealer, 1 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	6144:81Q/gptGKqJL2Dj+D/Tg2/FxAKOB7s4/sezNmE5ciJovdQA:eQYptGKqJqaTpkk4/tU/FQ
Threatray	3'384 similar samples on MalwareBazaar
TLSH	T113840116B752C0B3C0C398707E2AC3A16E7A7871A5F1C847BB915B291E713D2A97734B
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.233.48.58:38989

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.233.48.58:38989	https://threatfox.abuse.ch/ioc/409201/

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/252710/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.27171.21562.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/9731/overview

Behaviour

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm azorult greyware hlux lockbit

Link:

https://www.filescan.io/uploads/6234bad30cd58dbd92b7de6b/reports/ce1eeaa7-ddda-4f48-b85f-a8795faefff7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2edeba65-fde8-4571-8766-7fd6e5aca414

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/959738

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7cf017b257f3d2604cc7f191baa47989a27ade9a9bba3b28fc1bacdc4afedc0b/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-03-18 17:01:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ptybpmsx6pjgatgh6gi3vjdzrgrhvxu2to5dwkh4downysx63qfq._file

Verdict:

malicious

RedLineStealer

102bd99b98a08804eba5085c4d339772f12bec461e5eb2ba84c00ce54117e383

RedLineStealer

2a06da1f6bb8f01f932093ed9ae5f1ca2ff7b53b89dfd46a0102200cf3ebaead

RedLineStealer

30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6

RedLineStealer

6fd8616b2ae9f0c04f7bd91f87e7efea5a0e488001fd37ff1b523d0b36e8f027

RedLineStealer

987651f9f7dbdae2eb283db2328f4daf4970bd487bbaf5e3892cb980305a24f5

RedLineStealer

ac11513e0ae44da690d7456df22d6874e0b29f97b5c0aa9286d7c59492f323f3

RedLineStealer

+ 3'374 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzki discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220318-vjj63acca9/

Behaviour

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.233.48.58:38989

Unpacked files

SH256 hash:

19fec522e6ddfc64730dfdba5108f8972631f64b0c2283019128cc9904f16c30

MD5 hash:

c84e55891be08610732c73fa09aa7fd1

SHA1 hash:

e4c41c452537fae4c9b72104e75728a270d600ee

Link:

https://www.unpac.me/results/5428c3c8-21a6-473f-b132-2c48de53ece8/

SH256 hash:

c2618311d497966c9d08fd2e74ee3782a5e691562c041c13746583277a67ac30

MD5 hash:

ff0e9032573fad2059d8437554089c0c

SHA1 hash:

e3fbd83f7b42a43d0b42c7182afe7fcea2ce7ef6

Link:

https://www.unpac.me/results/5428c3c8-21a6-473f-b132-2c48de53ece8/

SH256 hash:

e5e5fb9b44fcd81211951bca36d150a5b215a78c45f19fbaf341aced0e2b1cf8

MD5 hash:

2bfbdf39cf142eb7dd6592974e93c2bb

SHA1 hash:

71f6e7419da0eb0413cd4b5b2041f6a2e1db21b4

Link:

https://www.unpac.me/results/5428c3c8-21a6-473f-b132-2c48de53ece8/

SH256 hash:

7cf017b257f3d2604cc7f191baa47989a27ade9a9bba3b28fc1bacdc4afedc0b

MD5 hash:

ab5f8fe436203eaf3bcd09d4ab9c7c55

SHA1 hash:

d9a13b20a66bc02ed9c0aa35044f0e83ad8c94b5

Link:

https://www.unpac.me/results/5428c3c8-21a6-473f-b132-2c48de53ece8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7cf017b257f3d2604cc7f191baa47989a27ade9a9bba3b28fc1bacdc4afedc0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/252710/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample