MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a47754f736140f2fcd0f9cf99e53e4a5f11efe7e443588a2bdb23f4eaa433d6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 5

Intelligence 5 IOCs 1 YARA 5 File information Comments

SHA256 hash:	a47754f736140f2fcd0f9cf99e53e4a5f11efe7e443588a2bdb23f4eaa433d6e
SHA3-384 hash:	f3ca41c5a4da72122dbca5d2d08ea27017ebcf1278db9fe1de5bbdf7b9227cb3989d6bb0dc218be674c23c4db9bd8229
SHA1 hash:	7f4918473afe166f35c538ddfe4f4ceb31cd5611
MD5 hash:	ba82655d38c91c336e2c7d9987e220e9
humanhash:	king-comet-don-shade
File name:	CELADON SCAM VIDEO + SCREENS.rar
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	430'906 bytes
First seen:	2023-01-19 19:59:50 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:AV2xJmHOR6DOH8xdv83J9BWU6JcIYDPwd:86688T8PBkJcIcId
TLSH	T15D94BE6A349539A3C1B933ECFAC7E57D3AB57AED462A40D1B2B4B5179C0C5988C30E70
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	iamdeadlyz
Tags:	167-235-233-35 FakeCeladonGame file-pumped rar RedLineStealer scr

Iamdeadlyz

"BunnyBae" attempted to infect me while investigating celadon.game (impersonation of the Celadon game by Karpopper - store.steampowered.com/app/2093680/Celadon)
RedLineStealer C&C: 167.235.233.35:16621

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
167.235.233.35:16621	https://threatfox.abuse.ch/ioc/842482/

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

n/a

File Archive Information

This file archive contains 4 file(s), sorted by their relevance:

File name:	CELADON PROOF TELEGRAM SCAM.jpg
File size:	80'303 bytes
SHA256 hash:	6c9e445ba2d0770d9d8528df1d439574071b1d7d039be23a9ddbb91966b748cf
MD5 hash:	714bcb2ca643ee26a4728e687cf1b279
MIME type:	image/jpeg
Signature	RedLineStealer

File name:	WHOIS SCAM DOMAIN UPDATED 2023-01-17.jpg
File size:	27'425 bytes
SHA256 hash:	27096117ebdfe66551aaff79c72ad7c12bd72d9742b5b5f0c8efba2c371754f4
MD5 hash:	03ea9672348f89bc08df3fc867d0503f
MIME type:	image/jpeg
Signature	RedLineStealer

File name:	VIDEO PROOF CELADON SCAM TWITTER, TELEGRAM, DISCORD by BUNNYBAE .mp4.scr
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	734'303'704 bytes
SHA256 hash:	58613420c35573dbc7839d2ace556ee736d87d4e3803399b1e103cc53aada82b
MD5 hash:	f6d2d77ececf983aa0d88b170ec70e22
De-pumped file size:	288'256 bytes (Vs. original size of 734'303'704 bytes)
De-pumped SHA256 hash:	f18a102bd084a97dc20be35e7447462c2c3eefc8ba26c42f1d7ac55eadea7d6f
De-pumped MD5 hash:	46dd0b3543e424392b999979e7007332
MIME type:	application/x-dosexec
Signature	RedLineStealer

File name:	CELADON PROOF TWITTER SCAM CHANNEL TELEGRAM 2 LINKS.jpg
File size:	106'440 bytes
SHA256 hash:	f824020b0566a14f86d6e1a0779dbf8c13142d3e982fc57d06dcbacf9d41d9ac
MD5 hash:	1e171422c88ac93bcc581c657964977e
MIME type:	image/jpeg
Signature	RedLineStealer

Vendor Threat Intelligence

Verdict:

Unknown

Threat level:

n/a -.1/10

Confidence:

100%

Tags:

large-file obfuscated overlay packed

Link:

https://www.filescan.io/uploads/63c9a145447edb203affd444/reports/34451698-0400-49cd-95cd-bc0192894e67/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a47754f736140f2fcd0f9cf99e53e4a5f11efe7e443588a2bdb23f4eaa433d6e/

Threat name:

Binary.Trojan.Hulk

Status:

Malicious

First seen:

2023-01-19 20:08:52 UTC

AV detection:

6 of 34 (17.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ur3vj5zwcqhs7tiptt4z4u7euxyr57t6iq2yriv5wi7u5ksdhvxa._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a47754f736140f2fcd0f9cf99e53e4a5f11efe7e443588a2bdb23f4eaa433d6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

rar a47754f736140f2fcd0f9cf99e53e4a5f11efe7e443588a2bdb23f4eaa433d6e

(this sample)

58613420c35573dbc7839d2ace556ee736d87d4e3803399b1e103cc53aada82b

Dropping

SHA256 58613420c35573dbc7839d2ace556ee736d87d4e3803399b1e103cc53aada82b

Dropping

SHA256 f18a102bd084a97dc20be35e7447462c2c3eefc8ba26c42f1d7ac55eadea7d6f

Delivery method

Distributed via web download

Dropping

MD5 46dd0b3543e424392b999979e7007332

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample