MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf7cfd220d44eba42f39dc189cef99116ca1036f43a9324b9cc3f04bb7a19d6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	bf7cfd220d44eba42f39dc189cef99116ca1036f43a9324b9cc3f04bb7a19d6f
SHA3-384 hash:	ff4efb9150953c01cbd001394e991da757cc60e2d784d8689e4895ddbb8156a9dbd5f0bec1bf8e10085d59d4e19f565c
SHA1 hash:	9c8820eb30ff6c54101f248b9d7a92c3191820ae
MD5 hash:	8fa81f3e0a6e0015be4c633c855f7778
humanhash:	bravo-cold-delta-ack
File name:	23294008.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'131'840 bytes
First seen:	2022-03-19 05:06:33 UTC
Last seen:	2022-03-19 06:42:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	98304:TeJzQG8T34Y+9nYzwRZncZQjtBIfsipZsqFl8IOpma5:TeJ8TIx+41j6fsip7FlCd
Threatray	5'317 similar samples on MalwareBazaar
TLSH	T1501633BFA5105275DB0F033C5E818F94FAE6494697004324EEB3197724A98B7B3A20FB
Reporter	adm1n_usa32
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/252900/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/623564fcdfdfa8501cb98513/reports/c9fa0f9a-0073-4b2b-b05a-752f566334c1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b9881aa-0186-4790-b0eb-f928ab96a36c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960034

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf7cfd220d44eba42f39dc189cef99116ca1036f43a9324b9cc3f04bb7a19d6f/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-03-19 05:07:20 UTC

File Type:

PE (Exe)

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x56p2iqnitv2ilzz3qmjz34zcfwkca3pioutes44ypyexn5btvxq._file

Verdict:

malicious

RedLineStealer

0d8ed2c3adb568ac0630b572ac4c79f1023a7266c1bb2c4e23f7dc7467781d86

RedLineStealer

148565389f129bdbb31636fbd357c83a36ec0647604ba6898d0c80c79ca3bfad

RedLineStealer

3b6d92296785155333ce6e44a0b43d280ab50fdfd178d0b6929e8298cf18d929

RedLineStealer

619fcef3f5c3a701aee7861097b3588a73e4ae1ee8bc6467df202216f52e44f5

RedLineStealer

a78c6b44fa48674f8dc9572fd7ff9b15347dca01f9aa38d34fc18d688f92c4a4

RedLineStealer

c9abc728dca7c4557f39ac69632735fe1a0cf29e12ae80e81b5912e8c6f929bc

RedLineStealer

dca3a9b1800addbb90b1f81b7a7538f39e2758dc96f319838d481d1f40719d3c

RedLineStealer

+ 5'307 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220319-frz5xscbf6/

Behaviour

Program crash

Unpacked files

SH256 hash:

032ba0c5b3e5dd63fc0e5a17048413bdee2fa0420fa2a794c627a36e135f7a79

MD5 hash:

543b51945fcefe4692140b09b689d45e

SHA1 hash:

b0fe194da9b20504a9160a57af66d062994e4821

Link:

https://www.unpac.me/results/192ec462-f61c-4125-977f-18b84aa99e9a/

SH256 hash:

98c254cb2e158333e22ec74dc016f523b827ab1cd7b4923133b3d81405e071df

MD5 hash:

351e6be1527b9d89727e36cf00574b93

SHA1 hash:

83d3b5ef3d221966ed62df08be285d58fcb2c138

Link:

https://www.unpac.me/results/192ec462-f61c-4125-977f-18b84aa99e9a/

SH256 hash:

bf7cfd220d44eba42f39dc189cef99116ca1036f43a9324b9cc3f04bb7a19d6f

MD5 hash:

8fa81f3e0a6e0015be4c633c855f7778

SHA1 hash:

9c8820eb30ff6c54101f248b9d7a92c3191820ae

Link:

https://www.unpac.me/results/192ec462-f61c-4125-977f-18b84aa99e9a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/bf7cfd220d44/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf7cfd220d44eba42f39dc189cef99116ca1036f43a9324b9cc3f04bb7a19d6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/252900/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample