MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e7cf5a3069c6ffd76d00f193d85cd8d0afcd13ae022626d21b11e264700c91c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e7cf5a3069c6ffd76d00f193d85cd8d0afcd13ae022626d21b11e264700c91c
SHA3-384 hash: c608e29d9962e050ca32a7ea196175f0f5bc55face3365f6784b609b7ce1f1288474b83a2911af4dfdd4f08c60105028
SHA1 hash: 409c9e44b29bf71d1920abd7f462db7f99310877
MD5 hash: 168f735bac9d1a688c4399cf2c041c32
humanhash: helium-fix-spaghetti-edward
File name:168f735bac9d1a688c4399cf2c041c32.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'190'912 bytes
First seen:2022-10-30 08:40:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f9dd8a0feaf4fa9fd20d4d8ea4827100 (17 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 24576:XRXk2jYpY9gJfpM3mPYE7Xn4GSDeDg0NlwrjB:BXkl351GF
Threatray 399 similar samples on MalwareBazaar
TLSH T173456C29FB0725B4DA235371895FEA7B9B147A148032EE7FFF8BDA08B4330163845665
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.217.98.127:4274

Intelligence

File Origin
# of uploads :
1
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
168f735bac9d1a688c4399cf2c041c32.exe
Verdict:
Malicious activity
Analysis date:
2022-10-30 08:41:56 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e0cc0444-cd08-4f07-8836-e0db15b9e1ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326071/
Detection(s):
Win.Dropper.Detected-9976151-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46768/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/635e389fa5db8d309cbbe6c7/reports/5052db24-9310-4404-8f22-6a3ec2615765/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a781b362-aeee-4315-b285-e11758c466ae
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101193
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 733854 Sample: YLGcxRatFb.exe Startdate: 30/10/2022 Architecture: WINDOWS Score: 100 38 goback.delivery 2->38 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 5 other signatures 2->50 10 YLGcxRatFb.exe 1 2->10         started        signatures3 process4 signatures5 58 Contains functionality to inject code into remote processes 10->58 60 Writes to foreign memory regions 10->60 62 Allocates memory in foreign processes 10->62 64 Injects a PE file into a foreign processes 10->64 13 vbc.exe 15 7 10->13         started        18 WerFault.exe 23 9 10->18         started        20 conhost.exe 10->20         started        process6 dnsIp7 40 95.217.98.127, 4274, 49698 HETZNER-ASDE Germany 13->40 42 cdn.discordapp.com 162.159.130.233, 443, 49699 CLOUDFLARENETUS United States 13->42 34 C:\...\Servan_v0.9_Servan_windows_64.exe, PE32+ 13->34 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->66 68 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->68 70 Tries to harvest and steal browser information (history, passwords, etc) 13->70 72 Tries to steal Crypto Currency Wallets 13->72 22 Servan_v0.9_Servan_windows_64.exe 13->22         started        36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->36 dropped file8 signatures9 process10 signatures11 52 Antivirus detection for dropped file 22->52 54 Multi AV Scanner detection for dropped file 22->54 25 powershell.exe 22->25         started        28 powershell.exe 22->28         started        process12 signatures13 56 Queries memory information (via WMI often done to detect virtual machines) 25->56 30 conhost.exe 25->30         started        32 conhost.exe 28->32         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e7cf5a3069c6ffd76d00f193d85cd8d0afcd13ae022626d21b11e264700c91c/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 13:08:00 UTC
File Type:
PE (Exe)
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pz6pliygtrx725wqb4mt3bonrufpzuj24arge3jbwepcmryazeoa._file
Verdict:
malicious
Similar samples:
02c1c4241e1211580f078778611ae7c11d6f7a5bdef75cf01cbb6a5185f1c3a8
RedLineStealer
35ba668de0b81553c08865fa08b6d1dba20d36b7d284edf25d5f1b60f42f034b
RedLineStealer
4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1
RedLineStealer
63d3c658ed73776e08821a7917a13b342ef14c61aa5bb323e71551b3125e8b45
RedLineStealer
65d77c6d99bfdf41472afef809ff3a719e16610ac76fc68994b10bbae824dc6d
RedLineStealer
677817a0182db451275cf23a4c1b96bb9d00ca6c3c50b244723bc6c0ef96b219
RedLineStealer
6f6e8e9441fa7b35c0b1676a69957404081ca8a357b38a6640adb38375a7424d
RedLineStealer
b61546030dbe1d3839d0244d814e48f88b36f70303750590b67cfed3486a4e8d
RedLineStealer
f8a941938484a00306232e77b8af41e7f81df56e4aa9864a2b59ea8ebfbc892b
RedLineStealer
fe98e1419e9ffe47ad09dfb3495b9c357bf3b4ae4b1bc179d2fd67c13a253068
RedLineStealer
+ 389 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware stealer upx
Link:
https://tria.ge/reports/221030-klfasabfb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine payload
Malware Config
C2 Extraction:
95.217.98.127:4274
Unpacked files
SH256 hash:
02a094e0084b991ad26a2810b6692ae26d213410f7fc6da8ca14fa027f6873e6
MD5 hash:
a06c9aaffcda8e022c1d5228eebf3214
SHA1 hash:
60a0eff51ac921aebc0c7313e64c76ef18a79f98
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1fa51866-2af0-4556-be35-994b6bfbdc60/
SH256 hash:
7e7cf5a3069c6ffd76d00f193d85cd8d0afcd13ae022626d21b11e264700c91c
MD5 hash:
168f735bac9d1a688c4399cf2c041c32
SHA1 hash:
409c9e44b29bf71d1920abd7f462db7f99310877
Link:
https://www.unpac.me/results/1fa51866-2af0-4556-be35-994b6bfbdc60/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e7cf5a3069c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e7cf5a3069c6ffd76d00f193d85cd8d0afcd13ae022626d21b11e264700c91c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326071/

Comments