MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a74b01420e8468adebb40c4608d8cfc5d502f3bfed6a5ec20a2529e371fff5f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 2 File information Comments

SHA256 hash:	a74b01420e8468adebb40c4608d8cfc5d502f3bfed6a5ec20a2529e371fff5f4
SHA3-384 hash:	a34b9a1b48aeb894248b705faf9bf60a6c8a46fc386c12174b6648c6321e630c3d7cda9a4e2f84799fea80424def8e2c
SHA1 hash:	bd3c47c948de432a6a299e9838e34c0232c40a0d
MD5 hash:	492741caac0d572d99c2c1f9ffe0963e
humanhash:	timing-south-magnesium-jig
File name:	a74b01420e8468adebb40c4608d8cfc5d502f3bfed6a5.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	414'208 bytes
First seen:	2022-09-19 15:46:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e3db219c45a2e0e44eb0b69d53cb34b7 (4 x RedLineStealer, 2 x Stop)
ssdeep	12288:DZaEP72yZ4AhPqDy9uPLAFQt1WnU3dMphyGlknNpQ:DZx72Sqyk8FQcUueNpQ
Threatray	3'279 similar samples on MalwareBazaar
TLSH	T17994F11172D1C5BED0661C306D34FBA1263BB8317A3490ABF7956B5F5EB23E0AA71302
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea6ac9ccc (17 x RedLineStealer, 9 x Smoke Loader, 4 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
116.203.56.209:19723

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
116.203.56.209:19723	https://threatfox.abuse.ch/ioc/850501/

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

0d61d2818b063c71648b5d7a4451e0c0.exe

Verdict:

Malicious activity

Analysis date:

2022-09-19 15:30:58 UTC

Tags:

loader evasion trojan stealer raccoon recordbreaker opendir rat redline

Link:

https://app.any.run/tasks/b2ef82cc-03fe-493c-b9ea-5caf9b85d5a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/311384/

Detection(s):

Win.Malware.Azorult-9949206-0

Win.Packed.Tofsee-9951336-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38154/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63288f78b333b2ec6b361778/reports/3e87d502-b35a-4e66-bf56-d4c61e3f3fb2/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/34859233-13bf-4630-ae40-4d37615e44d1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1073079

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a74b01420e8468adebb40c4608d8cfc5d502f3bfed6a5ec20a2529e371fff5f4/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-09-19 15:47:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u5fqcqqoqruk325ubrdarwgpyxkqf4575vvf5qqkeuu6g4p76x2a._file

Verdict:

malicious

RedLineStealer

731d88b34eadf23542485c72ceec38154e2802c6a35dc8031afca7be99b85fa9

RedLineStealer

816ba07d828978228709f49586655c2c3a36171480a10c2e75b93aedc6ca4972

RedLineStealer

8b1306cc9e1b55da2c0874946bc20ab05c25d222a921d8b8c84f98779a7e2f47

RedLineStealer

c17753f3f6a7cb4663310401b7c64325c26e4d6595ce5c03b31bc65eaaf2754c

RedLineStealer

fb26dcd1a68d03999b0f5d0427a8b6c72d6816393b5ca2dc14ef6b1cd36cac62

RedLineStealer

fccc3daaffee8e81640aba5d1129eeeb9535463fa9a6ba9021450b7fcd93b3df

RedLineStealer

+ 3'269 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:666 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220919-s7mkzsfda6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

116.203.56.209:19723

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/950743ae-ad10-41b6-9102-aa6ba9c3e496

Unpacked files

SH256 hash:

a0b6eccf821c95e4eaa9117fca588115517c3dcf2bd47d8d7a47c9423b5c6e5d

MD5 hash:

079940660ff2fe58fa93b4270fd527ec

SHA1 hash:

ebeaa38e6449cc5890b4cd22e019a96558b215ed

Link:

https://www.unpac.me/results/db489991-402f-4268-836a-8f2e66e19e09/

SH256 hash:

03332d004b5bf939681bc85ab457f81a0250d98d5a7f4c39d714ebfef000be34

MD5 hash:

ffd19ca16e38fff71a26a3745188f19a

SHA1 hash:

964069783c4999d3da2c4988d6f0355a731da842

Detections:

redline

Link:

https://www.unpac.me/results/db489991-402f-4268-836a-8f2e66e19e09/

SH256 hash:

f19157a595514274def3c5b7609adc91ba19dde62c940a342080d7b5f554831f

MD5 hash:

ae39aca6f717dfcb686261ec7514d0bb

SHA1 hash:

00e25061c6c2a52cc80c259a34c295153dbc2a6d

Detections:

redline

Link:

https://www.unpac.me/results/db489991-402f-4268-836a-8f2e66e19e09/

SH256 hash:

a74b01420e8468adebb40c4608d8cfc5d502f3bfed6a5ec20a2529e371fff5f4

MD5 hash:

492741caac0d572d99c2c1f9ffe0963e

SHA1 hash:

bd3c47c948de432a6a299e9838e34c0232c40a0d

Link:

https://www.unpac.me/results/db489991-402f-4268-836a-8f2e66e19e09/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a74b01420e84/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a74b01420e8468adebb40c4608d8cfc5d502f3bfed6a5ec20a2529e371fff5f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311384/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample