MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7e4f1da0530887fb3c60141d8263cc9c92474067f9f8c6b9b65633a72bd87ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a7e4f1da0530887fb3c60141d8263cc9c92474067f9f8c6b9b65633a72bd87ce
SHA3-384 hash:	324eb3fdc270e14fc27b4a7993ebb28db9c9470cb2f72749c009bacb207a831f51cd4f94eafddfc7ae242fd7dee9f67b
SHA1 hash:	640aec31c2ac988d7bc2ba39accd1399d68c7e48
MD5 hash:	04b456ff36412c84821b0e945c24bc71
humanhash:	oxygen-emma-neptune-carolina
File name:	04b456ff36412c84821b0e945c24bc71.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	326'656 bytes
First seen:	2021-09-25 08:11:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2d3e8f1de619588f819136537821e72a (3 x RaccoonStealer, 3 x RedLineStealer, 1 x CoinMiner)
ssdeep	6144:wNZQtZa/fEK5uuWyF9L12P0TKIbywJLSjyYWf67fDwdfMP9UGLL8:qZb/fEK5uzIL12sWImzjyYWy7fyUPWK
Threatray	2'204 similar samples on MalwareBazaar
TLSH	T1A964BE20BBA0C035F5F712F85AB99368A43E7A709B3051CF52D616EE26346E4DD30B57
File icon (PE):
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
91.142.77.155:5469

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.142.77.155:5469	https://threatfox.abuse.ch/ioc/226453/

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6149ce_Bandicam-Crack-.zip

Verdict:

Malicious activity

Analysis date:

2021-09-21 12:30:36 UTC

Tags:

trojan rat redline evasion loader stealer vidar opendir raccoon

Link:

https://app.any.run/tasks/b90ae939-065b-4b13-8b9c-6611533d4441

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191373/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.23220.18891.UNOFFICIAL

Win.Packed.Fragtor-9895216-0

Win.Malware.Fragtor-9895220-0

Win.Malware.Generic-9895402-0

Win.Malware.Fragtor-9895682-0

Win.Malware.Fragtor-9895683-0

Win.Packed.Fragtor-9895692-0

Win.Malware.Fragtor-9895773-0

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6f0d4cd1-5412-460b-9204-1b708d46a5b8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/857825

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a7e4f1da0530887fb3c60141d8263cc9c92474067f9f8c6b9b65633a72bd87ce/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-20 15:27:33 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u7spdwqfgceh7m6gafa5qjr4zhesi5agp6pyy243mvrtu4v5q7ha._file

Verdict:

malicious

RedLineStealer

3f325a237265eac17786e79dab8fd11688d7022755982385b8ee17de035570d5

RedLineStealer

61929967132e6a3a435292821d1f6ec8f96247936a6da0ec7ecb6d0795feb89b

RedLineStealer

6ed0e0fc4fc180454a9ebb07cf9cebecdc7595bde25f883f0360e1fc5cde77a3

RedLineStealer

6ed5c2256aac5654f708b39f82f40f29ebab155e0e7fd237db5d70903a240981

RedLineStealer

811b982a5a257a2a9acd46bbf0f68a166470726017e60bb752410ece2cf01ef5

RedLineStealer

c2dd287121b9ecbd07a1f4ca65b433e2d56df56f360c7f2037d17845a9705f5e

RedLineStealer

caeaa61b2a6b40b30c615dd9cb342201ce3e5035c6d1a2b4936a587099b73c21

RedLineStealer

d8b8bba9880d2b162e945873f1ad1d048b6fc2c78b2501a0ad08f46aec0ed559

RedLineStealer

e81604994f95ef3f2c0c79b64b37664b55075a06b4bceef35b9ea5f160b5bd94

RedLineStealer

+ 2'194 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:10k ruzki2 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210925-j3whnaagg3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

91.142.77.155:5469

Unpacked files

SH256 hash:

56ba9e5ad688cae1ffe972996d21981c2281a3e03058d93ba7582dd18d5d4fc7

MD5 hash:

e5ddb367f3100816d56eec6faf64242b

SHA1 hash:

f0bcc5fa8c3e313dd82bc74caf48c20a51de6bbf

Link:

https://www.unpac.me/results/c81f2262-25bb-4cc2-83e1-12928fcdf217/

SH256 hash:

fa3cea2e7e32c741159e72f3d12f864c3a2df8be89f15482e00039135dfccb18

MD5 hash:

889ab8b8808628662b9c65cdd9d8d5a6

SHA1 hash:

d9f323745f218205a386aa024fd594a0bd78e911

Link:

https://www.unpac.me/results/c81f2262-25bb-4cc2-83e1-12928fcdf217/

SH256 hash:

2731e8228263d1a1380cbae8037a66cb42c394d5a3b2ddce0028b0b093a68889

MD5 hash:

aa019edb53c65f0b09f9104697f4a3de

SHA1 hash:

c86737cdf3f51a0cb6fe9f74698c44d171e01f03

Link:

https://www.unpac.me/results/c81f2262-25bb-4cc2-83e1-12928fcdf217/

SH256 hash:

a7e4f1da0530887fb3c60141d8263cc9c92474067f9f8c6b9b65633a72bd87ce

MD5 hash:

04b456ff36412c84821b0e945c24bc71

SHA1 hash:

640aec31c2ac988d7bc2ba39accd1399d68c7e48

Link:

https://www.unpac.me/results/c81f2262-25bb-4cc2-83e1-12928fcdf217/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a7e4f1da0530/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a7e4f1da0530887fb3c60141d8263cc9c92474067f9f8c6b9b65633a72bd87ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191373/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample