MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b95acf9ae3908db86db5f5eba573c7d48c3188971daad4b311b97d49f417e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7b95acf9ae3908db86db5f5eba573c7d48c3188971daad4b311b97d49f417e5
SHA3-384 hash: ce803dda3fc1ac8a0137dcdc5c34645ae0a238a0c70317e50c40ddc14526c9ad181ae5797975d1b8ece6ff1db4f625fe
SHA1 hash: b9f8a4a8914b06c6f3a5fb54e422013fa0ebe605
MD5 hash: 531ddb472f8739488735ec64df53cb91
humanhash: mobile-kansas-beryllium-cold
File name:531ddb472f8739488735ec64df53cb91.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:413'184 bytes
First seen:2022-01-24 21:25:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 13fe0c80afc1585ba6b2557231264a3e (6 x RedLineStealer, 1 x TeamBot)
ssdeep 6144:9LcpkeRneGApusZFkDRrUijvrST6WZ5we/5Wu2X+QT51IN:9LcHIGApTFwrrjvr+BZ5T5UpWN
Threatray 4'526 similar samples on MalwareBazaar
TLSH T1BB94F1327492D471D45623744816CFA50FBEBC315AE5564B37B82B2EBF303A09A6239F
File icon (PE):PE icon
dhash icon fcfcb4b4b494d9c1 (74 x Amadey, 56 x Smoke Loader, 38 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.112:57175

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.112:57175 https://threatfox.abuse.ch/ioc/315764/

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222073/
Detection(s):
Win.Malware.Mikey-9917879-0
Create hunting rule

Win.Packed.Lockbit-9919158-0
Create hunting rule

Win.Malware.Generic-9937404-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mikey
Link:
https://www.filescan.io/uploads/61ef19710f8c757253e3a4dd/reports/d17d17d3-4f1d-486a-8f2a-7938e7b18159/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9909f624-17cb-425f-9830-2c7160ea3176
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/926657
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7b95acf9ae3908db86db5f5eba573c7d48c3188971daad4b311b97d49f417e5/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 21:26:12 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y64vvt424oii3odnwx26xjlty7kiymmis4o2vvftcg4x2spuc7sq._file
Verdict:
malicious
Similar samples:
20dc6e65625512bceeed56e1754a96608ad8eb6e5648ec995a2a6fe6c2f6689f
RedLineStealer
2ac3fed114b0d5d6acca5ce885b2b3126df87e9b601f6077a5e7e82815e34219
RedLineStealer
2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702
RedLineStealer
52cb37d91906ed1cd97be339ee5e885bd63989898d5518db5e66f5124a698460
RedLineStealer
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112
RedLineStealer
8f465d608d27485c4b93f56d1c7e89c4e9c749360e66bfd1a694516c3329466f
RedLineStealer
cfab103eec3388ca2ddfaf1c6a5c9ccdd9307dbaaae707a93c74e330284d61b5
RedLineStealer
e4e31c0fa5b6a65f3292c8eeee3689b21ae4af0068b52ddb93602b09ec7dc51a
RedLineStealer
+ 4'516 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ruzki discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220124-z97ghaafck/
Behaviour
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.20.112:57175
Unpacked files
SH256 hash:
1771591be743b2692797a1c0b5e77e159f70f7f4869602fb6f4add2d06b19551
MD5 hash:
15fad34a29872884046c76a3bf530138
SHA1 hash:
bde751a122cd04029ae15f681f634ca50eaa381f
Link:
https://www.unpac.me/results/61f15177-1d57-4870-9359-a4374528fd60/
SH256 hash:
5dd91a63ebaafedaa9a0bb0e6c68d8f1d08a449147aef1d30689e2def4608f16
MD5 hash:
afce11eb28c22dd58c09587ff283948a
SHA1 hash:
9fff86039fa5e848b17141a74232c598ced81b6d
Link:
https://www.unpac.me/results/61f15177-1d57-4870-9359-a4374528fd60/
SH256 hash:
ad9856a24c603d73bccb43e7d965e9177bf66d013ea7435abf2f29d356fe294a
MD5 hash:
97883c66d83c9dffbdf0f6ad02fb37e1
SHA1 hash:
177f579722d634b5d67347e9cb00f0b9f7d155df
Link:
https://www.unpac.me/results/61f15177-1d57-4870-9359-a4374528fd60/
SH256 hash:
c7b95acf9ae3908db86db5f5eba573c7d48c3188971daad4b311b97d49f417e5
MD5 hash:
531ddb472f8739488735ec64df53cb91
SHA1 hash:
b9f8a4a8914b06c6f3a5fb54e422013fa0ebe605
Link:
https://www.unpac.me/results/61f15177-1d57-4870-9359-a4374528fd60/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c7b95acf9ae3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7b95acf9ae3908db86db5f5eba573c7d48c3188971daad4b311b97d49f417e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c7b95acf9ae3908db86db5f5eba573c7d48c3188971daad4b311b97d49f417e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1849294/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/222073/

Comments