MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a58f7ca70595d7712b2ee497067698b69e1f6eb8173fe898fa1874ce57ad39fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a58f7ca70595d7712b2ee497067698b69e1f6eb8173fe898fa1874ce57ad39fd
SHA3-384 hash:	fc943a929f165a7c638855732caea72eac20ec2e5a62fd62839d79be0315920b37be243345aa3727bc39a0af2b20cfce
SHA1 hash:	167e5a41c3dbdd41b81654aee1f91ed6286594d0
MD5 hash:	8615925300c0b6340643f983f572a943
humanhash:	sink-cola-avocado-iowa
File name:	8615925300c0b6340643f983f572a943.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	286'208 bytes
First seen:	2022-07-15 20:20:38 UTC
Last seen:	2024-07-24 19:56:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1babba8ebf028e1ff7cbb28d85574e06 (3 x RedLineStealer, 1 x GCleaner, 1 x Smoke Loader)
ssdeep	6144:FCF1+l+2T26pJoIXJ6OlI12Ol4sv8OCl7LVEClIqiLA:FKO+2TxJoIXblj/y8H7LVECShA
TLSH	T1B754E120B6F1D4F1F5F3163018B2D3A21A7F7A236630928F37A41B6D5E7039169AA357
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea6ac8ccc (78 x RedLineStealer, 43 x Smoke Loader, 13 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
195.22.152.47:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
195.22.152.47:80	https://threatfox.abuse.ch/ioc/837950/

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/290760/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.22512.21253.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62d1cccb3c475438b548f0bd/reports/c3d35e80-1e95-4783-b095-f46904aef1e3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/436903c9-32e4-422e-9340-49c6765ec15a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1032983

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a58f7ca70595d7712b2ee497067698b69e1f6eb8173fe898fa1874ce57ad39fd/

Threat name:

Win32.Spyware.RedLine

Status:

Suspicious

First seen:

2022-07-15 20:21:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uwhxzjyfsxlxckzo4slqm5uyw2pb63vyc476rgh2db2m4v5nhh6q._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:adsfelix discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220715-y4zc9sfbdp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

timenist.agency:80

Unpacked files

SH256 hash:

d21f997c5cca30e825426f7e0f0869999e708b45ebd664abe69d8762298bda75

MD5 hash:

d81c1f6082f017aaa5825255f6a4262a

SHA1 hash:

ec6d9ff0c016ee645d1fecb5c2c04de892e4fb0c

Link:

https://www.unpac.me/results/2999f8a4-6d6d-4909-8b83-25344f0ed93f/

SH256 hash:

438162d516537c3149706ee1f84d5e96445be1b31983e90129b851af306c41fb

MD5 hash:

802f67575c243dd547c1f321228fcfa2

SHA1 hash:

be18cc7cfa23ceb9d7d3d3e0da2dae33e30fd3d6

Link:

https://www.unpac.me/results/2999f8a4-6d6d-4909-8b83-25344f0ed93f/

SH256 hash:

01909b730b521b9d55b15268f588f702b6e75184322912670504c7061b0009da

MD5 hash:

4597d38d83b83ffda51ca9598e8c82e4

SHA1 hash:

3453647b8cff3a7f09221a751d63020a5b5d9119

Link:

https://www.unpac.me/results/2999f8a4-6d6d-4909-8b83-25344f0ed93f/

SH256 hash:

a58f7ca70595d7712b2ee497067698b69e1f6eb8173fe898fa1874ce57ad39fd

MD5 hash:

8615925300c0b6340643f983f572a943

SHA1 hash:

167e5a41c3dbdd41b81654aee1f91ed6286594d0

Link:

https://www.unpac.me/results/2999f8a4-6d6d-4909-8b83-25344f0ed93f/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a58f7ca70595/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a58f7ca70595d7712b2ee497067698b69e1f6eb8173fe898fa1874ce57ad39fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.