MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf7050e71da2ed976d1298a9732c78aeba04db079848da295b4ed0ec0cac4e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf7050e71da2ed976d1298a9732c78aeba04db079848da295b4ed0ec0cac4e35
SHA3-384 hash: 37ffc1c3daa6fd7cf8e690f3028218186f81e96ddbcd6342cbde8c8a0a43ab45a2d4abaad108efc8208448ce8ac692b4
SHA1 hash: 1998d29f59762c8e8d05c41911ecf21225b18303
MD5 hash: 70ddfc5ca509b761b11067d701e8a44f
humanhash: rugby-sink-failed-west
File name:AutoTune crack.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'195'416 bytes
First seen:2022-07-28 18:46:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:QzY4BJQNjYZgYiYWf23nECMOCdS2SSiSQdnANCOYI:QztSNjYDCBPQdpzI
Threatray 274 similar samples on MalwareBazaar
TLSH T1B4455C2AE74719B4DA135772C59EEB7B9B147A248026AE3FFF4ADA0CB4330133C45166
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter iam_py_test
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
AutoTune crack.exe
Verdict:
Malicious activity
Analysis date:
2022-07-28 17:36:53 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/615078fa-0239-48b8-b9aa-c37b15e41752

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294966/
Detection(s):
Win.Packed.Generic-9958485-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27698/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ea98d65-ba49-455c-8044-71f8407a6f09
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf7050e71da2ed976d1298a9732c78aeba04db079848da295b4ed0ec0cac4e35/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-07-28 13:45:50 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5yfbzy5ulwzo3istcuxgldyv25ajwyhtbenukk3j3ioydfmjy2q._file
Verdict:
malicious
Similar samples:
184e41a9fca98ca1a748e16b005d77fc5f07d708ba812846c445b56c170604d9
RedLineStealer
1d128ffc3927d02e3393da5e27d2557766f82df921b09d42603b08d5724e9e9a
RedLineStealer
2d1b8fb40c3a716ef9c0b3282c1ae6c17af5c746c92ab22019974b3503771b31
RedLineStealer
502fe5ef79bd707b4b31d35b6ac4df2ee14a59012080abe632aa51cd1908fd15
RedLineStealer
56013a94edeaf931e04fc0103058f3d183f1fd9f46e4e133d6f4bb63a0826486
RedLineStealer
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
RedLineStealer
59292b957c1aa3f92eb26dcdf6bcd1c9db6d3cf950d57d346ce6e3c2f33005e3
RedLineStealer
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
RedLineStealer
d79a379ce1fcbe1e3548dfde37f6c2591f2ebf8de6c0d0db6f282933e529cf53
RedLineStealer
+ 264 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@sedeci330 infostealer spyware
Link:
https://tria.ge/reports/220728-xel6zaahar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.106.92.226:40788
Unpacked files
SH256 hash:
9791387359fc477b5f54b26b8e41e98e56eeb1dd0c8c6748fa7214455aa29935
MD5 hash:
fa695a671799bba10de62ea4a143ee58
SHA1 hash:
ca8582564f2e090785dfa5f8b5639db63bb59f3c
Link:
https://www.unpac.me/results/bddbe3ff-4168-4a81-b1ec-e97bc3c1e10d/
SH256 hash:
bf7050e71da2ed976d1298a9732c78aeba04db079848da295b4ed0ec0cac4e35
MD5 hash:
70ddfc5ca509b761b11067d701e8a44f
SHA1 hash:
1998d29f59762c8e8d05c41911ecf21225b18303
Link:
https://www.unpac.me/results/bddbe3ff-4168-4a81-b1ec-e97bc3c1e10d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

970445c38121dd40eeb03f2fa863b95c572d4646faa0b367c03f985a16375e9e

RedLineStealer

Executable exe bf7050e71da2ed976d1298a9732c78aeba04db079848da295b4ed0ec0cac4e35

(this sample)

  
Dropped by
SHA256 970445c38121dd40eeb03f2fa863b95c572d4646faa0b367c03f985a16375e9e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/294966/

Comments