MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca073d12918385962188c80d05b26317f391a0b5aef037ba84f9cf26c5ae3d8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	ca073d12918385962188c80d05b26317f391a0b5aef037ba84f9cf26c5ae3d8d
SHA3-384 hash:	3ec6983409f9e5ab9fc2109cf938ae8e9beb112c90d8044f6947a7655e8dbb236f1b0a7fcfcc35a4bd518143049d22c8
SHA1 hash:	977aa7fd098f2f6ec9273ebb4c640b741229b784
MD5 hash:	c92820a2a9eff7543ada3d48147eea6c
humanhash:	twenty-pip-one-freddie
File name:	ca073d12918385962188c80d05b26317f391a0b5aef03.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	409'088 bytes
First seen:	2022-03-19 10:50:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4afe698a4ff3f157978858a4a5de1db8 (2 x Smoke Loader, 1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	6144:YgoCkgU7dHcbs+udtgRksV1SejfjLK38+57b1ojPYO7uCAi:noldHcbs+udtTkkfl1oDYO7
Threatray	4'441 similar samples on MalwareBazaar
TLSH	T14B94CF40BBA0D03DE5B706F87965D3B8B93E3DA15B2564CB62C26ADE16312E1DCB4307
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.233.48.58:38989

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.233.48.58:38989	https://threatfox.abuse.ch/ioc/409201/

Intelligence

File Origin

# of uploads :

# of downloads :

360

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/252956/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/9816/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6235b5980cd58dbd92bde2de/reports/490f1918-cc2b-4eab-8c58-94c672a9f378/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a173791-4de9-4b79-ad87-d84b424a28ec

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960073

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca073d12918385962188c80d05b26317f391a0b5aef037ba84f9cf26c5ae3d8d/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-03-19 10:51:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zidt2eurqoczmimizagqlmtdc7zzdifvv3ydpoue7hhsnrnohwgq._file

Verdict:

malicious

RedLineStealer

30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6

RedLineStealer

34114068f879bb490e6ea528cf7f05cfc2af45c9fc020d6a8695ca0500ea2f2d

RedLineStealer

7cf017b257f3d2604cc7f191baa47989a27ade9a9bba3b28fc1bacdc4afedc0b

RedLineStealer

93640539e9c8428a5aaabe06fedaf6b32aaa33c021477413bb4a86f94deee712

RedLineStealer

b08b3e6b5af70122e7a4166948280bda32b6403b1562018fd4e8d063e7f5b9f8

RedLineStealer

+ 4'431 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzki discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220319-mxtnnagbhr/

Behaviour

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.233.48.58:38989

Unpacked files

SH256 hash:

19fec522e6ddfc64730dfdba5108f8972631f64b0c2283019128cc9904f16c30

MD5 hash:

c84e55891be08610732c73fa09aa7fd1

SHA1 hash:

e4c41c452537fae4c9b72104e75728a270d600ee

Link:

https://www.unpac.me/results/f09a9fd1-13df-458a-b1c6-f42f1f96a8bf/

SH256 hash:

c2618311d497966c9d08fd2e74ee3782a5e691562c041c13746583277a67ac30

MD5 hash:

ff0e9032573fad2059d8437554089c0c

SHA1 hash:

e3fbd83f7b42a43d0b42c7182afe7fcea2ce7ef6

Link:

https://www.unpac.me/results/f09a9fd1-13df-458a-b1c6-f42f1f96a8bf/

SH256 hash:

e5e5fb9b44fcd81211951bca36d150a5b215a78c45f19fbaf341aced0e2b1cf8

MD5 hash:

2bfbdf39cf142eb7dd6592974e93c2bb

SHA1 hash:

71f6e7419da0eb0413cd4b5b2041f6a2e1db21b4

Link:

https://www.unpac.me/results/f09a9fd1-13df-458a-b1c6-f42f1f96a8bf/

SH256 hash:

ca073d12918385962188c80d05b26317f391a0b5aef037ba84f9cf26c5ae3d8d

MD5 hash:

c92820a2a9eff7543ada3d48147eea6c

SHA1 hash:

977aa7fd098f2f6ec9273ebb4c640b741229b784

Link:

https://www.unpac.me/results/f09a9fd1-13df-458a-b1c6-f42f1f96a8bf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca073d12918385962188c80d05b26317f391a0b5aef037ba84f9cf26c5ae3d8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/252956/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample