MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36e44375178500f7714d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36e44375178500f7714d9
SHA3-384 hash: 7e9d3fbb1dd0095827b418e4abae192f45c9ff449f7dccdd37abf3a35a30a5f523b6a07d28bf500ab73d29197a7be7b7
SHA1 hash: 1dfbae9ffc7b09e65e7cbd648e6d2b814573b6df
MD5 hash: a38aa72fa30c18083afbfc50cfd5bdec
humanhash: potato-mike-nine-xray
File name:ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:980'520 bytes
First seen:2021-11-10 06:41:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 641e0b8d4845d5673b6d9b3d409d6a12 (1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 24576:7QkYzWDv1s1Em24sNK4CpWLopdSU+NtrWFROuZ9CwV3it66OnfIFFFeg:OZ8M3itVCM
Threatray 4'046 similar samples on MalwareBazaar
TLSH T1512581C7E39B3429FB2321F651BB3A77303508916B89A6E30C739847F490AD656B1D1B
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
178.63.69.133:41433

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.63.69.133:41433 https://threatfox.abuse.ch/ioc/246356/

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204626/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31419.1476.2989.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed vidar wacatac
Link:
https://www.filescan.io/uploads/618b69be175442ca93aa4010/reports/f624486a-93b8-459f-964b-b689b06bd3fe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f891dc5-c663-4343-a2f8-41046f3ae614
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/886510
Signature
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36e44375178500f7714d9/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 05:09:29 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zj5vtjyw273mv4sk2isyounqup5y7uluupbw4rbxkf4fad3xctmq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2fdbbe32c94ec82a32e5c81f31a6d6ae0688d5be8a819de8d468d36f54760f1b
RedLineStealer
45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374
RedLineStealer
829225fc19a57409d03967926eeb1ee6b4da7184af8e25f80ffeba6633b46c82
RedLineStealer
9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7
RedLineStealer
a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c
RedLineStealer
d68549067554697569e1566c1e4c993a7e84dae92fb30e39ac9f4fc184e48cd1
RedLineStealer
f063a271d8a2da357559a32adcec6083529158168bf340c2b3c393778898da66
RedLineStealer
+ 4'036 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:01111 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211110-hgcyradffl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
178.63.69.133:41433
Unpacked files
SH256 hash:
932ba5238e4c7859416b3326334965157e565e5bc8fb33b1aca132bb1442d00a
MD5 hash:
f4e99db58c9304fc9ab711173e9174cc
SHA1 hash:
dd18fc2d0653c9b3f0c2e8d131a57a7ad348c67a
Link:
https://www.unpac.me/results/49ce0493-74a8-46f2-b45a-cb3f87bfe923/
SH256 hash:
95f057d87797f523959252bcff3e036a6d50e09641d4fb07f0d8e9486ac7f620
MD5 hash:
f96da49091575a09f3fb7652ba1ee6b5
SHA1 hash:
837868be68261fab09ebb2ea7b7dcbe5ad655915
Link:
https://www.unpac.me/results/49ce0493-74a8-46f2-b45a-cb3f87bfe923/
SH256 hash:
c793284ee3e37c69cd127f2fbc893765cfb2893e4b90340b6ed1a02595a52c87
MD5 hash:
098e7f05fa1715e9bdf87b2ea59a2bb9
SHA1 hash:
3823a6951394daa96d8f9304927a94ba9fd49be2
Link:
https://www.unpac.me/results/49ce0493-74a8-46f2-b45a-cb3f87bfe923/
SH256 hash:
ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36e44375178500f7714d9
MD5 hash:
a38aa72fa30c18083afbfc50cfd5bdec
SHA1 hash:
1dfbae9ffc7b09e65e7cbd648e6d2b814573b6df
Link:
https://www.unpac.me/results/49ce0493-74a8-46f2-b45a-cb3f87bfe923/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ca7b59a716d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36e44375178500f7714d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:WIN32_MALWR_DROPPER_INJECTOR_RANSOMWARE
Create hunting rule
Author:Jesper Mikkelsen
Description:Detect Suspicous dropper injector - possible ransomware dropper
Reference:SHA-1:0feda1e7b0d4506270c85973826fa498e9ed0f5b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204626/

Comments