MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f5fb937bb138c7e292ec64f79ac0b6d887d47a8b3e21153c1a05df91dfb823b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	7f5fb937bb138c7e292ec64f79ac0b6d887d47a8b3e21153c1a05df91dfb823b
SHA3-384 hash:	94a17dc0a0c1d6f299ffb4349d10263bae79bd5b5c400b8a899242a1a4b6c03f79c7f4eb3643daea305e8d1d48847cc3
SHA1 hash:	6c6acf5e2496f7c838a91db2c2830ab977f3d796
MD5 hash:	6a4f058858522c6293e122a6e6cc5b16
humanhash:	white-eleven-arkansas-nevada
File name:	7f5fb937bb138c7e292ec64f79ac0b6d887d47a8b3e21153c1a05df91dfb823b
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	410'024 bytes
First seen:	2021-06-01 11:51:40 UTC
Last seen:	2021-06-01 12:53:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0479728b0bbbaea2fc170e4fb90137cc (1 x Stop, 1 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep	6144:uwDutASxuBLK+W0debiHvO4+z7DDN1YndXGAS3a9KBubnjVMdAC:uwDuuSxuBOz0dEiHlc7vNGJGT0b2dn
Threatray	678 similar samples on MalwareBazaar
TLSH	F794AE00B690D035F5F236F44EBB92BDA53DBDA1EB2450CF22D4AAE956356E0AD31307
Reporter	JAMESWT_WT
Tags:	exe PIK MOTEL S.R.L. RedLineStealer signed

Code Signing Certificate

Organisation:	PIK MOTEL S.R.L.
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-05-20T00:00:00Z
Valid to:	2022-05-20T23:59:59Z
Serial number:	e0a83917660d05cf476374659d3c7b85
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	1ea1ad1032604b6751d45e963cc20d1ecc9dc23d6eee083fa110665471eefc97
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7f5fb937bb138c7e292ec64f79ac0b6d887d47a8b3e21153c1a05df91dfb823b

Verdict:

Malicious activity

Analysis date:

2021-06-01 11:54:58 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/0f980a6a-7afd-4654-864f-c83f33161958

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/163792/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.30508.19093.1038.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d5f471d-296f-45dc-b32a-bbcf2f93aab7

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/795244

Signature

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f5fb937bb138c7e292ec64f79ac0b6d887d47a8b3e21153c1a05df91dfb823b/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-06-01 03:33:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p5p3sn53cogh4kjoyzhxtlalnweh2r5iwprbcu6bubo7shp3qi5q._file

Verdict:

malicious

RedLineStealer

4c8d1a1d118384df23575d4421f573f9b97d984b295083b329a8ee08709dcfce

RedLineStealer

7b9bd29f5c0787b2937b34493ca5a7128d476dc9f4257643f1fd47d48399eafa

RedLineStealer

7ff8de714cd1be1409b0c13a946c21f945a0bfdc8fd7e0b1a0f4e20f3ba0e80a

RedLineStealer

865fc17286ce58e28350c60fd7bb6ae82187c4af18f04afa9faa31ccaee3e1d2

RedLineStealer

9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725

RedLineStealer

a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b

RedLineStealer

defc8c4fa50129d532f0a9bf7a314043fdd3adbf69e46a1b50b9ade98a75926a

RedLineStealer

e64ecde487ecb44035cf435d457237a4f8b8cedbbe055fa1e6698ad2a3939fed

RedLineStealer

f01f44864129ba56c115b4c4dcaf8373a1f7996a142e17ffcf4d7f4f875bcdaa

RedLineStealer

+ 668 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:test discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210601-xrecnaxzpa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

onazarlandu.xyz:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f5fb937bb138c7e292ec64f79ac0b6d887d47a8b3e21153c1a05df91dfb823b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/163792/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample