MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fd5199c4d755d73b969ab38ebf4f8fd085a7219a88efdc4ee1588481a90414c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	7fd5199c4d755d73b969ab38ebf4f8fd085a7219a88efdc4ee1588481a90414c
SHA3-384 hash:	1569a3cdf15827c7813c3bff09b72ea843fb94f94493497aaaca37a9087f0529cbd4cd50a67949890cde19fe4a85c4fc
SHA1 hash:	4ad7e18674e293e936f086597f1b9c917c66c7b5
MD5 hash:	20fffabcc7b65bd421a0033d6b6940c4
humanhash:	echo-happy-chicken-romeo
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	217'088 bytes
First seen:	2022-12-22 21:52:40 UTC
Last seen:	2022-12-22 23:31:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f171bb6c6f6b1d6d32649a265a2ed44a (9 x RedLineStealer, 1 x RecordBreaker)
ssdeep	3072:WbAw3uZHS/5G988Fm1ElEZtVAqMPF72QjckRGaDwixMgncTtPYh6hB:gAPHS/5G9jFmiqM9nj83+RngPr
Threatray	1'866 similar samples on MalwareBazaar
TLSH	T14F24109B6C5DDA35C38E9132E87B03CA5155029631FE095C960A02F7AD6F6908E1FF2F
TrID	40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 12.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.0% (.EXE) Win32 Executable (generic) (4505/5/1) 5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	jstrosch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-22 22:02:16 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/0f837a79-7e87-4691-93b0-47e8840f0c12

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/349208/

Detection(s):

SecuriteInfo.com.Variant.Ser.Fragtor.1316.30176.12176.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

anti-debug anti-vm

Link:

https://www.filescan.io/uploads/63a4d1c286162b686f748044/reports/50dda721-7983-48e8-a5af-3ba7c62f58fb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e2fd1abc-f5dc-4913-8935-4246accb0128

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1139639

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fd5199c4d755d73b969ab38ebf4f8fd085a7219a88efdc4ee1588481a90414c/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-12-22 20:47:19 UTC

File Type:

PE (Exe)

AV detection:

22 of 40 (55.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p7krthcnovoxholjvm4ox5hy7uefu4qzvchp3rhocweeqguqifga._file

Verdict:

malicious

RedLineStealer

1873e78bd7364486ab4b563ca9c58ec76cb75c4acfa48b261d78d85a537c749a

RedLineStealer

23e50a063d80a03e90310e16e7223eac7c54c2029db1fec2bf52c51d3be06c2d

RedLineStealer

2fa0d222f93bf219276a5ea988b24e2f44bf654285f45ff143233657030ded0c

RedLineStealer

47882cbac974961e1e003b60646d60f2c0316acf405c40707dc2abbdcbcb8805

RedLineStealer

65935b24250d73665370e034a7d7173e47f9e987b085a6f77342c2d9926a48eb

RedLineStealer

80a57a2c22e7ea3318f2027af5d4fb57ecc76a0de5236c087b9554b739350aa6

RedLineStealer

a3679e6c9bffd5313696c15aea5074be0aa0533ee1b6419ec06969a720be6951

RedLineStealer

ac85235ed7905d82b2cb1571448089b9387f49a2b41091b163fbdde30b0925a8

RedLineStealer

fb65db138ed870c36bc6ef04c5d13b7e6789dc5d002cbcfa2111341fb4d20b13

RedLineStealer

+ 1'856 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer spyware

Link:

https://tria.ge/reports/221222-1rl9aafc72/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

62.204.41.141:24758

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5cfb76bb-be8e-4d32-90a2-2e50c0ce385f

Unpacked files

SH256 hash:

628b1f9d85bc277c148aae0731a5f93eeac4be9bcf460aaa04609b8b7cda083a

MD5 hash:

6ab780ee8eb18997f7782082184079db

SHA1 hash:

68735ea64dc4360154ebe3c7bfe15c3414a82a55

Detections:

redline

Link:

https://www.unpac.me/results/46ec8ce9-22b8-4896-89b0-72d9feb545b8/

SH256 hash:

7fd5199c4d755d73b969ab38ebf4f8fd085a7219a88efdc4ee1588481a90414c

MD5 hash:

20fffabcc7b65bd421a0033d6b6940c4

SHA1 hash:

4ad7e18674e293e936f086597f1b9c917c66c7b5

Link:

https://www.unpac.me/results/46ec8ce9-22b8-4896-89b0-72d9feb545b8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7fd5199c4d75/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7fd5199c4d755d73b969ab38ebf4f8fd085a7219a88efdc4ee1588481a90414c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Win32_Trojan_RedLineStealer Create hunting rule
Author:	Netskope Threat Labs
Description:	Identifies RedLine Stealer samples
Reference:	deb95cae4ba26dfba536402318154405