MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d124975437e9e3d3aab4a9fcb067532ad6cd8da6c99fa6a183f3343dc33f06a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	7d124975437e9e3d3aab4a9fcb067532ad6cd8da6c99fa6a183f3343dc33f06a
SHA3-384 hash:	067d407eb190c4ba2af00f16951dc9a6f205110af6d5e4e1eb36d47c8da0505bbef5fa8dbecca770d0c32bb74bdf64ce
SHA1 hash:	3ec69f232e445bbe016fe37ad1d158f52ebe2b74
MD5 hash:	1c292bcd90fbcbefdee77404ea88da83
humanhash:	sodium-solar-oranges-carpet
File name:	1c292bcd90fbcbefdee77404ea88da83.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	611'840 bytes
First seen:	2022-03-29 03:52:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	12288:Df2a4AALA/fNXCQC8Dp3/5QS03ULaHNqrxlKIQNozVkjzbFHP:DfT4knpCwDp3RkEaHNYK3sVkfbFv
Threatray	1'996 similar samples on MalwareBazaar
TLSH	T100D423A9B6C4DE48C1D6FBBE1C29B5A7E076A106BFC03239F2B94B0695448C3E71D05D
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.25:27757

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.25:27757	https://threatfox.abuse.ch/ioc/460314/

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/258851/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Сreating synchronization primitives

DNS request

Connecting to a non-recommended domain

Sending a custom TCP request

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed racealer

Link:

https://www.filescan.io/uploads/6242829fa19c649412a38445/reports/f4c87c1c-a145-4195-95c9-f709e5824f20/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0824c4f7-da9f-4a99-95ba-11906f43174a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/966318

Signature

Allocates memory in foreign processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d124975437e9e3d3aab4a9fcb067532ad6cd8da6c99fa6a183f3343dc33f06a/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-03-26 20:56:47 UTC

File Type:

PE (Exe)

AV detection:

29 of 42 (69.05%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pujes5kdp2pd2ovljkp4wbtvgkwwzwg2nsm7u2qyh4zuhxbt6bva._file

Verdict:

malicious

RedLineStealer

1a2dd18cee343e86e992f506a4ce0f95568eb4e2bba8696ff9a810664cf7dd10

RedLineStealer

1ef31bf987a083644001df09ef84617b8ae4784a945558d813510a38688d2962

RedLineStealer

4a07a70731fe916d377888b49ac5bb01dac3f32a48a6311cd8fd616d9082cfa1

RedLineStealer

59131e55898be4de6efa846f46a69f71e7ab941e6b0e3f6fc01b80693d68ea44

RedLineStealer

5b54867f600777e8cec30c3386a3d42f08da4e1a3a4e636f135e25e2d9850603

RedLineStealer

7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa

RedLineStealer

aed0d35fe387f68070bb711b510c723876208a4adf77a8d8613252943967dd14

RedLineStealer

b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c

RedLineStealer

+ 1'986 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer spyware

Link:

https://tria.ge/reports/220329-efmj1sfceq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.25:27757

Unpacked files

SH256 hash:

3b3778a8239b37eb4606c8f07340888f767d99ffb0aad1df1d4198a3e706c95d

MD5 hash:

aef68a2e65a47f8e43ac87a515c0d675

SHA1 hash:

a77be1aee2a8bd3ca7b873f473e137613bca1813

Link:

https://www.unpac.me/results/c29d18f2-2ac3-4292-ad90-e1a536728846/

SH256 hash:

0f1ff1935ab13932f4c5325bb366b50c4680a0df2a940ed9faf4afc173384819

MD5 hash:

9d089ce927978cf4e85941f92e861e34

SHA1 hash:

f8f06ba531b3b110c3b5729d7a0039f9a7fde9c5

Link:

https://www.unpac.me/results/c29d18f2-2ac3-4292-ad90-e1a536728846/

SH256 hash:

7d124975437e9e3d3aab4a9fcb067532ad6cd8da6c99fa6a183f3343dc33f06a

MD5 hash:

1c292bcd90fbcbefdee77404ea88da83

SHA1 hash:

3ec69f232e445bbe016fe37ad1d158f52ebe2b74

Link:

https://www.unpac.me/results/c29d18f2-2ac3-4292-ad90-e1a536728846/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7d124975437e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7d124975437e9e3d3aab4a9fcb067532ad6cd8da6c99fa6a183f3343dc33f06a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/258851/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample