MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca165420014bdc3d4156c6b1ff574fc3c8443981e009d484d7c22fe9263dd41d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	ca165420014bdc3d4156c6b1ff574fc3c8443981e009d484d7c22fe9263dd41d
SHA3-384 hash:	4d31eae3f062a20883c24902bb91438c0be8a339eb74277c403a108714ede4c34615e9782dbf7c89c7e0c86d1d2a40b0
SHA1 hash:	398a27ce9af154b7713b93ef30a055e4f142111d
MD5 hash:	895d15986ab2ce5c443edc686ce76f60
humanhash:	alaska-fillet-mississippi-alabama
File name:	895d15986ab2ce5c443edc686ce76f60.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	464'384 bytes
First seen:	2022-07-11 22:40:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	aca74b8b0f43d3afddff2065aec6913f (2 x RedLineStealer)
ssdeep	12288:AiLdE4w/FpRR6gqLyb4CqCu7SKGIn6staBpQzY5e:AudE4w/Fh6gqC4Cqj7Dn623s
TLSH	T14BA4E023B1942A7BD802C872673095A19D6774725BEF85FB7BD81E1F4EA14E04B38E43
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
78.47.60.126:37397

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
78.47.60.126:37397	https://threatfox.abuse.ch/ioc/826544/

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

895d15986ab2ce5c443edc686ce76f60.exe

Verdict:

Malicious activity

Analysis date:

2022-07-11 22:47:49 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5df1abc9-51b7-40b6-96e6-452a34cc51aa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/286403/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/62cca73c81790e51fe592510/reports/9f72334b-f47d-4ba7-92dd-3e891877da94/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/00286e34-0d7f-4e95-9cd6-ed27fe8af6b3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1029061

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found API chain indicative of debugger detection

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca165420014bdc3d4156c6b1ff574fc3c8443981e009d484d7c22fe9263dd41d/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-07-09 13:11:55 UTC

File Type:

PE (Exe)

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zilfiiabjpod2qkwy2y76v2pypeeiomb4ae5jbgxyix6sjr52qoq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1733431142_99 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220711-2l3vhsdean/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine payload

Malware Config

C2 Extraction:

amdosquad.top:37397

Unpacked files

SH256 hash:

1f8f0ab5aecbc72689b0a51e3c3c4b00988f5dae54cf657cf6c5a5d9ae4d17ff

MD5 hash:

ce99dc9e97b9aaffa380e5091ce97d6e

SHA1 hash:

efc5c0561e844ed4396f9b30fdcd6d9feaf03814

Link:

https://www.unpac.me/results/89eaec81-aa8f-49cf-aa6c-bc4a5851b5e9/

SH256 hash:

dac5d14912683009ec2c0e49668ce8f5ddebf39e1a767bc58b6ec35e3c28683e

MD5 hash:

463bdabefe6177b954637706a8529790

SHA1 hash:

b097bdb23c9e81bf93718c9866f71bd7d8e60f7a

Link:

https://www.unpac.me/results/89eaec81-aa8f-49cf-aa6c-bc4a5851b5e9/

SH256 hash:

ca165420014bdc3d4156c6b1ff574fc3c8443981e009d484d7c22fe9263dd41d

MD5 hash:

895d15986ab2ce5c443edc686ce76f60

SHA1 hash:

398a27ce9af154b7713b93ef30a055e4f142111d

Link:

https://www.unpac.me/results/89eaec81-aa8f-49cf-aa6c-bc4a5851b5e9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ca165420014b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca165420014bdc3d4156c6b1ff574fc3c8443981e009d484d7c22fe9263dd41d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/286403/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample