MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af720c7766c2aa02e8aa105526deae9393089a00e9e290f5db8d5172523c3c21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 4


Intelligence 4 IOCs 2 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af720c7766c2aa02e8aa105526deae9393089a00e9e290f5db8d5172523c3c21
SHA3-384 hash: 8e7c25b1801d047c30e76c0f47714860e49844ee7a9d1ff401dba732fb3456075f0b0272b865e79fe9ce220332ce825c
SHA1 hash: 650f9ce64c3f25f4796e6c1f0b483a77cef77800
MD5 hash: 0e111822f3e0fadc8b1b08951252eac7
humanhash: oxygen-seven-kansas-apart
File name:Launcher.rar
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:328'580 bytes
First seen:2023-07-04 12:56:58 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
Note:This file is a password protected archive. The password is: 2023
ssdeep 6144:wmf/NSIT+HKEbKNzDtGdk3V2K0PLQk/p2SK1Jom01FV:5sIMKdzDtWuwHQ+pHKYm01FV
TLSH T14E6423D2AA12CC7745B661D27382B1E3F30F028A66A203CD658B8D9D9DC41DCDFB5B91
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter iam_py_test
Tags:pw:2023 rar Redline RedLineStealer


Avatar
iam_py_test
Password-protected archive containing RedLine stealer. The password is 2023

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.157.120.4:17355 https://threatfox.abuse.ch/ioc/1135513/
94.142.138.147:48665 https://threatfox.abuse.ch/ioc/1116621/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
US US
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:Activation.exe
File size:757'248 bytes
SHA256 hash: c82cf281de6456f303a2ec546b11644a11c2dc4b7c67e5df0774430db3d5a29c
MD5 hash: 8a00d42302aa0fa3a4ebcca00d834b6d
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Launcher.exe
File size:222'536 bytes
SHA256 hash: ff59399142eebc8e4829b279c9521fc671d3ccff737f9b236d18c50f349599b0
MD5 hash: a78dcbd9bcf3738d09d091079a322e9c
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/af720c7766c2aa02e8aa105526deae9393089a00e9e290f5db8d5172523c3c21
Result
Verdict:
SUSPICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af720c7766c2aa02e8aa105526deae9393089a00e9e290f5db8d5172523c3c21/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5zay53gykvaf2fkcbksnxvosojqrgqa5hrjb5o3rvixeur4hqqq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230704-qf3rsaeh71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
94.142.138.147:48665
185.157.120.4:17355
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/af720c7766c2aa02e8aa105526deae9393089a00e9e290f5db8d5172523c3c21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
Create hunting rule
Author:ditekSHen
Description:Detects executables containing base64 encoded User Agent
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

rar af720c7766c2aa02e8aa105526deae9393089a00e9e290f5db8d5172523c3c21

(this sample)

RedLineStealer

Executable exe ff59399142eebc8e4829b279c9521fc671d3ccff737f9b236d18c50f349599b0

anyrun
any.run
https://app.any.run/tasks/d0acfd8c-84bc-43a2-b377-02681a439a8d
  
Dropping
SHA256 ff59399142eebc8e4829b279c9521fc671d3ccff737f9b236d18c50f349599b0
  
Dropping
SHA256 c82cf281de6456f303a2ec546b11644a11c2dc4b7c67e5df0774430db3d5a29c
  
Delivery method
Distributed via web download
  
Dropping
MD5 a78dcbd9bcf3738d09d091079a322e9c
  
Dropping
MD5 8a00d42302aa0fa3a4ebcca00d834b6d

Comments