MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d1e849023f5d5dfa29320d5c2d067a101bb16231b98b312d35d18a02bf0e58e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	7d1e849023f5d5dfa29320d5c2d067a101bb16231b98b312d35d18a02bf0e58e
SHA3-384 hash:	10a58084bc43e1884c76304a10fc42a48257f4cb2ce725864c8ad32b3a92743f0bb10f2b0cd13cb30528662cff2770cd
SHA1 hash:	ab30bca8764dc63c094c8932d2d4d9cb45604938
MD5 hash:	7d6809e72a1fff5776362a6e1fec69a8
humanhash:	papa-bacon-pasta-massachusetts
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'685'096 bytes
First seen:	2022-10-19 11:52:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a93cea5329220fb90674a1f0bde2cd0e (40 x RedLineStealer, 7 x RecordBreaker, 2 x ErbiumStealer)
ssdeep	24576:Ge0oSp3K8+2YuY7MOPb/M+SkswdNlWmi/wkPAGLY/r6TKYMTTLYWLgFHel3RuQ5d:Ge03lK8WZkPqrARMTTLYWsEl3P
Threatray	853 similar samples on MalwareBazaar
TLSH	T136C52A135A8B0D75DDD23BB4A1CB633EA734ED30CA3A9B7BB608C53959532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://79.137.192.57/tool/softwinx86.exe

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-19 11:53:08 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a188eeab-e6b2-4ae7-95fa-44f490f072e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321687/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.33622.31210.12883.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/43815/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/634fe51f66721ebd9b2f3045/reports/a2cfd76a-1799-463a-b4ba-59496dbc7f6d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c19499ba-120b-43b5-a62b-b7863165823a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1093432

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d1e849023f5d5dfa29320d5c2d067a101bb16231b98b312d35d18a02bf0e58e/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-10-19 12:26:16 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pupijebd6xk57iutedk4fudhuea3wfrddomlgewtlumkak7q4wha._file

Verdict:

malicious

RedLineStealer

824790997e40228c635b02fa75148e6e53b28ce5062509614bcad4570f6a455f

RedLineStealer

8cec1b640f03ea4a093bf2eb41a817f34ab550cfdfe47a11a1814031188e5828

RedLineStealer

9cd9e630d1113f57e6f0dcc6164bac77282e172b8f69a289008a7a5065e8331c

RedLineStealer

9d0d4efa6ce4cd3d21d8cdc6c8fd494bb6eebebdc2bde1afe22989f3b09544b0

RedLineStealer

ee2f4e019c67ac698cd6070a2a10c4b634bccc69147c2fa8c38984835f7ffa5c

RedLineStealer

+ 843 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1310 infostealer spyware

Link:

https://tria.ge/reports/221019-n2al1sgacl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

79.137.192.57:48771

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/24e0ed3e-187f-424f-849f-f953288d1107

Unpacked files

SH256 hash:

f467c782288db3d55e034206b86137295a749bc71761a18b1bb90c2da277d3d2

MD5 hash:

4d75d7ab05e5a2299a9920f46ca92a4c

SHA1 hash:

98692d8219f1fe45695a4389b912c965979193b3

Detections:

redline

Link:

https://www.unpac.me/results/1b8690af-18b5-4402-8b62-2681c5fa5e1e/

SH256 hash:

7d1e849023f5d5dfa29320d5c2d067a101bb16231b98b312d35d18a02bf0e58e

MD5 hash:

7d6809e72a1fff5776362a6e1fec69a8

SHA1 hash:

ab30bca8764dc63c094c8932d2d4d9cb45604938

Link:

https://www.unpac.me/results/1b8690af-18b5-4402-8b62-2681c5fa5e1e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7d1e849023f5d5dfa29320d5c2d067a101bb16231b98b312d35d18a02bf0e58e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/321687/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample