MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae
SHA3-384 hash: 9bc213cda3b9db19a6f1ce9a2be250a52367f5259ffc2a28c449e83776125ff0b8af2dcfb0083d698013a7ab100a3ddf
SHA1 hash: 04fab8643288b4cac335f79587a929a4d9336860
MD5 hash: 66490d4520c2680555bbda14d832aa36
humanhash: paris-nevada-salami-jig
File name:updater_2357.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'978'476 bytes
First seen:2022-12-26 23:22:57 UTC
Last seen:2022-12-27 01:00:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e34255f24c16c6689f04ecd0d604895e (1 x RedLineStealer)
ssdeep 49152:LPvfUOPFqT/Bhs1hmvIps1hmvIps1hmvISs1hmvIe:7v8OPFqTB46X6X6W6l
Threatray 10'428 similar samples on MalwareBazaar
TLSH T17C954703F800F926FB9501FD86D6C7BF60181F800FA52CE6564B5954F96FB8B97A2A70
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Zacinquarantine
Tags:exe Redline RedLineStealer


Avatar
Zacinquarantine
https://tria.ge/221226-288dhsdh92/behavioral1
https://www.virustotal.com/gui/file/b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae/detection

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
updater_2357.exe
Verdict:
Malicious activity
Analysis date:
2022-12-26 23:24:27 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e5e5cc7e-3bff-41aa-84db-5f5a001ff339

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64257184.28033.8499.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes overlay packed redline
Link:
https://www.filescan.io/uploads/63aa2cd740e878e3042038fc/reports/0e2112d2-d2e9-47cf-8389-80cb39cea5b9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5577696-78e1-4712-82ef-d91e99c0010a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1141287
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 22:44:52 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5zjvuaujkc7rnou4oqfpy2ajtodebg2eaimq54y6mvri2rb3oxa._file
Verdict:
malicious
Similar samples:
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
RedLineStealer
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
RedLineStealer
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
RedLineStealer
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
RedLineStealer
62b6f858e363c0fc99260b004d1ce9a5d01162c05d822cc841bea375b8b995dc
RedLineStealer
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
RedLineStealer
9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7
RedLineStealer
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
RedLineStealer
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
RedLineStealer
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
RedLineStealer
+ 10'418 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cesar discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221226-3c47nadh95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.73.134.54:19123
Unpacked files
SH256 hash:
51257d018ff4ce5ae8206d9665b6c34ca133401e54fd8d36fd80285fa93102c4
MD5 hash:
312b1b1fdc576caa1a593ec774b609be
SHA1 hash:
8fd0e07472252b934f74584977791d60bf3b4968
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/61bb6c43-54cd-4476-aef1-e68841e45bff/
Parent samples :
9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7
b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae
SH256 hash:
ace78ea250664c65701a77d971ba6b7c66e7d02f29c7dae29fc8e4629b610130
MD5 hash:
2776d9e063f6cdd8286a736770eb2b62
SHA1 hash:
450ef060b6dd41b31a265e2898d478a5b18896f8
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/61bb6c43-54cd-4476-aef1-e68841e45bff/
Parent samples :
9a676c2844b5d990aaf3e34b4c70162ecdaca389d9198cb12b46568af70347a7
b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae
SH256 hash:
de02de9a91ec1f2570038002ed64632d2daf9474665141f47492820a95ea8107
MD5 hash:
03510c228269d218b3d198ebcab59d0e
SHA1 hash:
458831b85e352682cc0511e7cfec3cfcfcdd0b0c
Link:
https://www.unpac.me/results/61bb6c43-54cd-4476-aef1-e68841e45bff/
SH256 hash:
b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae
MD5 hash:
66490d4520c2680555bbda14d832aa36
SHA1 hash:
04fab8643288b4cac335f79587a929a4d9336860
Link:
https://www.unpac.me/results/61bb6c43-54cd-4476-aef1-e68841e45bff/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7729ad0144a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b7729ad0144a85f8b5d4e3a057e3404cdc3204da2010c87798f32b146a21dbae

(this sample)

Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
  
Delivery method
Distributed via web download

Comments