MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a70e4487b1342707ba6ae5a1b51796542f65f904d6778780f324c459e306152a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	a70e4487b1342707ba6ae5a1b51796542f65f904d6778780f324c459e306152a
SHA3-384 hash:	7260fe3e62a1b8a9cabf7ff113ab4c2a1ca8dc599ddec18532a931e75201b41a0bb3e737c73bcdebd40e4768220c55f7
SHA1 hash:	c9ba49e325ee03a39ab3b4de9f056cef1fa49b18
MD5 hash:	2dfddbcf851bcf2794df434c000d95c4
humanhash:	south-white-bakerloo-mockingbird
File name:	2dfddbcf851bcf2794df434c000d95c4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	597'504 bytes
First seen:	2022-03-03 09:04:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fdc337a25282d3662375292d95cfcd8b (3 x RedLineStealer, 1 x Smoke Loader)
ssdeep	12288:AvMNXZr3JORqzzRHLoav7QjwhXxuuCKlRqpdhefG:AuXZr3JOwzV0K8jwREwluOG
Threatray	909 similar samples on MalwareBazaar
TLSH	T105D4011132D0C432D5F726774834C7B94E7BB87629255A8F7BC927BE9F246E29B20309
File icon (PE):
dhash icon	d2b1e4c4ecb987f9 (17 x RedLineStealer, 10 x Smoke Loader, 4 x Amadey)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246823/

Detection(s):

Win.Malware.Generic-9937750-0

Win.Dropper.Tofsee-9937828-0

Win.Dropper.Tofsee-9937829-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8023/overview

Behaviour

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6add8841-eb7f-4bb6-913e-eb78b7d841a5

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949816

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Autohotkey Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a70e4487b1342707ba6ae5a1b51796542f65f904d6778780f324c459e306152a/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2022-03-03 09:05:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

51dab2aed9a33526c883c60b970d756e7fe8215630861d61c839d4a491a91120

RedLineStealer

53284c3dc0078ff9aa534d3401a7cb1235e10a301d84dc362d6d2384cfbf7b64

RedLineStealer

556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5

RedLineStealer

63116a7686b86bf85bfc4e27fa6f465f8dea270f165c431cac19dd647579fbc5

RedLineStealer

8531f21496d70ac1be7776820ceaae3dd210d71b8a91d61c2e8b37f7daadcc48

RedLineStealer

8e9aae404ccd79f4b2358431194563e1d7dec5bc7bf534682446a45f2a585d0b

RedLineStealer

9fcd071f437b5db8ba6df1902a41a9b226f5fb644bb83056138415f36b2abcff

RedLineStealer

d3871fdb5a8fe94cd12f6cc9e16c7b18aa7843f3a3058429e3ee92d0f87a977a

RedLineStealer

+ 899 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix03.03 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220303-k17zcaabb8/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

185.215.113.17:7700

Unpacked files

SH256 hash:

c68f1f5fa511083b3f859a6c37c1dc60bd21635f4393f778a1c283c10386b56a

MD5 hash:

71c0b1739effff7869192445f82e0606

SHA1 hash:

db53802fe16ad7db5b1465f17626d1e737915e73

Link:

https://www.unpac.me/results/740e0f32-d040-4163-b9ca-35880c871ddd/

SH256 hash:

a70e4487b1342707ba6ae5a1b51796542f65f904d6778780f324c459e306152a

MD5 hash:

2dfddbcf851bcf2794df434c000d95c4

SHA1 hash:

c9ba49e325ee03a39ab3b4de9f056cef1fa49b18

Link:

https://www.unpac.me/results/740e0f32-d040-4163-b9ca-35880c871ddd/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a70e4487b134/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a70e4487b1342707ba6ae5a1b51796542f65f904d6778780f324c459e306152a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe a70e4487b1342707ba6ae5a1b51796542f65f904d6778780f324c459e306152a

(this sample)

Cape

https://www.capesandbox.com/analysis/246823/

URLhaus

https://urlhaus.abuse.ch/url/1942108/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample