MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413
SHA3-384 hash:	10f30abf119d9b97981cf2bb5d9a3d403427b609de57921805fdebcac38cf8bf4e218a0543f7cd8f084677e34d76d2dd
SHA1 hash:	33cf0ad9191cd529ee787cb88340c7838b9a60dd
MD5 hash:	5ce3e07185414336f21f58d714e9ea05
humanhash:	jupiter-hydrogen-kentucky-batman
File name:	5ce3e07185414336f21f58d714e9ea05.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	354'816 bytes
First seen:	2023-07-20 06:56:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5dc16ea88b2eab7740fd105d5e24a675 (2 x RedLineStealer, 1 x Tofsee, 1 x Glupteba)
ssdeep	6144:RD9BXaCIFXl0LYSa4zHZ9fgbQGtb8usdCe9SZ8aPwzMzNCT:Rh9DIFXBKEbDtQusYrzho
Threatray	143 similar samples on MalwareBazaar
TLSH	T1C274E12136A1C036D06BA9314871CA925E7ABCF2E77C61C733583A3E6D716D08BB4797
TrID	52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.5% (.EXE) Win32 Executable (generic) (4505/5/1) 3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	90942488a2409800 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
178.32.90.250:29608

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

5ce3e07185414336f21f58d714e9ea05.exe

Verdict:

Malicious activity

Analysis date:

2023-07-20 06:58:56 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/156892d6-10e6-41da-816c-2985cab98bf8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/425776/

Detection(s):

SecuriteInfo.com.Variant.Zusy.477830.4855.9347.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64b8da83fd9e198dc1166605/reports/f8245488-b91c-4b4e-922b-6214cb88a5ea/overview

Verdict:

Malicious

Labled as:

Ransom.11734606

Link:

https://www.hybrid-analysis.com/sample/7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1bb04806-6f0e-4ecb-ba63-88dba2395bd8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1276483

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413/

Threat name:

Win32.Ransomware.Phobos

Status:

Malicious

First seen:

2023-07-20 05:03:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pwyqmo6zpp7mg5zek5io5yj7aszofc6za2vwpog7tv4obogxwqjq._file

Verdict:

malicious

RedLineStealer

3d9868ef3b6c60ebe9ef766672923f57253ac74cd5bc2592e2d62bb984b5f95d

RedLineStealer

549049c206798ac82da3d7bf88fec6d324737390070547998c0828b916905d9c

RedLineStealer

67de75fa63b6f101a2da5e047edd26ee239cc1767d716c2690d55bfb3e49882d

RedLineStealer

75f9db664373b1e957799e65139d1468c7cc7f39ce171c100b875d886cda0690

RedLineStealer

77901283fc6711af62fcd0f941765964d9dbe145f078df2e2b4cbc2eae38d850

RedLineStealer

9a40547f923c813c901965b126bf23239fc3437479616772b028745a71d709fd

RedLineStealer

a8ab824da87f6df5db7402a67edca0baf3b2da422ab48dbded3d03cb9e137ed5

RedLineStealer

cfe902baa8761bc95dd9993c041077945f20060bab4cd764429c76470f25d82b

RedLineStealer

e7006b8d71261b865d8601aa6e3b62f6b619f9d93ce857b288f9555cb17d5153

RedLineStealer

+ 133 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (bot: @logsdillabot) discovery evasion infostealer spyware stealer themida trojan

Link:

https://tria.ge/reports/230720-hqcpcadc76/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

Malware Config

C2 Extraction:

178.32.90.250:29608

Unpacked files

SH256 hash:

fd7fcb15664a8d6b15f986edf7b1b89ac04fd0b7e2c75ba51f2d7be2b16bd25e

MD5 hash:

226ebe2b896adda7d7ca7808c7830e79

SHA1 hash:

dbc7a3619f3ae0e77d983718ddf7447ff9aa2e0c

Link:

https://www.unpac.me/results/347a82d9-a8e9-4f73-aa50-742838c91fda/

SH256 hash:

055d23615d232b3b26dce994eb4e011505be13199c97610974f011bba0adc805

MD5 hash:

84fdf79fc25c72aa2a12972d25e8476b

SHA1 hash:

72288d6450b272481eb9a606367f7ee848427f98

Link:

https://www.unpac.me/results/347a82d9-a8e9-4f73-aa50-742838c91fda/

SH256 hash:

6b50f48dd61d0e8af9d39ec9c4326a28cd3298e8b336bfdd5c81cd3db2bb1e54

MD5 hash:

c5634c071c4a20379d58bf9e5f4d9a8c

SHA1 hash:

3c5e48ad01611b0c79b204ec398c9b3d8a30a21e

Detections:

redline

Link:

https://www.unpac.me/results/347a82d9-a8e9-4f73-aa50-742838c91fda/

Parent samples :

d3c8faef1fc611343ee8bdd7462c6c9e0b90394da533475f46a518bb2c63329f
7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413
a080fb72f5167c76a0076864e959058168d7fdf22699e51b865adc0688eebac9
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
7c1f977a3b607dab39ee80ccef392929f038c69d75730e3881011b292c518710
b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b
0ffe096e263b93450e971cb1485fd907b6572638228a1cd9ddd1575a866c6cc9
cdbfb15564317948c800599bf4e4ae31ca937d89a716dc1bf52752e10fa7980a
732c6933975284af9ff5eb21fb1f667a66c0751cd2dc87cb87e352dfa8918ee3
6cbe4e43208d3edd0da509a7bf7bd1a17b8cdd81806eb7107ab26adc633c4ae2

SH256 hash:

6178ca1d58de3919bbb2953d0571abab36e10d95f83624ec6cd174b1d29aade1

MD5 hash:

92466a9033e3c20a4a960a352ddc1781

SHA1 hash:

35716bf3775bd1662e9359d74fbcbcfcc8427709

Detections:

redline

Link:

https://www.unpac.me/results/347a82d9-a8e9-4f73-aa50-742838c91fda/

Parent samples :

SH256 hash:

7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413

MD5 hash:

5ce3e07185414336f21f58d714e9ea05

SHA1 hash:

33cf0ad9191cd529ee787cb88340c7838b9a60dd

Link:

https://www.unpac.me/results/347a82d9-a8e9-4f73-aa50-742838c91fda/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7db1063bd97b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/425776/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample