MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
SHA3-384 hash: d3bfaf5878bbccdcbe61c774554e18475199459daeed19a4a7672ea43c630f9eaa9d032035d8eff28de8305f6068d83a
SHA1 hash: afa1eace436c9bec6167c75e4e7e79e48e87b004
MD5 hash: 21fd2a38a381a5ffb302eee3427b7999
humanhash: island-east-moon-pasta
File name:SecuriteInfo.com.Win32.Evo-gen.13722.27998
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:351'232 bytes
First seen:2022-12-25 05:29:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ea9f0326cf512ac0eb7dd4bc1a00a19 (18 x RedLineStealer, 17 x Smoke Loader, 2 x TeamBot)
ssdeep 6144:JLV2zgRDxIByVtzOPW+Upjn87mdqwHyvVwPaMqCCK8:Jx2zgNOyV9oW+UjhdqwHyvjzCCK8
Threatray 12'185 similar samples on MalwareBazaar
TLSH T1ED74F11CFAA3D432C99146388816EFE81B69FC705F20567E33147A5F2E70EE1557A3A2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9ecececee6eae6 (8 x Smoke Loader, 1 x CoinMiner, 1 x Tofsee)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.Evo-gen.13722.27998
Verdict:
Malicious activity
Analysis date:
2022-12-25 05:31:35 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/0c28dbf3-a550-47a6-9f1e-9eef0bfccb37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.13722.27998.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware lockbit packed
Link:
https://www.filescan.io/uploads/63a7dfdc898959f356c5d380/reports/eb8a621f-3236-4c88-8bdf-77e0ba36f4ce/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58755e1d-9b08-4b24-b92c-0fc43365fea2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140709
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-25 05:30:07 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkfxjvg4d7yllb3koavqvskfbbko24qzz6lizfg5allxcpeerhsq._file
Verdict:
malicious
Similar samples:
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
RedLineStealer
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
RedLineStealer
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
RedLineStealer
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
RedLineStealer
62b6f858e363c0fc99260b004d1ce9a5d01162c05d822cc841bea375b8b995dc
RedLineStealer
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
RedLineStealer
9690e6debc1e6c45d178292fa0dcf2d606b0f29f0152a525dd3bd55a1eb63390
RedLineStealer
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
RedLineStealer
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
RedLineStealer
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
RedLineStealer
+ 12'175 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:shakur discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221225-f66agsbb65/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
10d89dc018c4f68c4de429d05553643fe51c13ead82dd5ffe77ca6ce3da0bb04
MD5 hash:
57e2dc37dcb1345f2eb161a54cec3e83
SHA1 hash:
f32b2dc4905b6f0bf9bf28376b58773ca6c79852
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6db6078e-f503-4342-a224-5de27e3abfc5/
Parent samples :
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
114bc4570edf3732d88f11383a7fbe4eb8a92417193f9d098ba095a86b5a60aa
46e8f1e77e132152528af8fea7bc9fe5d08df40b4222d6e91f61cfc0866e73e8
0edbf92ba8990787fa99d173c29e093b379f258ad5a4b3804ffeb5b9e3b2d559
a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
e56e9ab8b567b715b48f14a6c2cb425da1aa3b9df482264c37cd4000bdad99bc
SH256 hash:
5e19b7346f0bfad5eb4a9a942db22aba5be6ce7b6699b1304188090475565341
MD5 hash:
9a8d13fd329a1b399735e1f92a586aab
SHA1 hash:
da5fd282102baf2b3d91768d4303497fdb47bae6
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6db6078e-f503-4342-a224-5de27e3abfc5/
Parent samples :
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
46e8f1e77e132152528af8fea7bc9fe5d08df40b4222d6e91f61cfc0866e73e8
0edbf92ba8990787fa99d173c29e093b379f258ad5a4b3804ffeb5b9e3b2d559
a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
e56e9ab8b567b715b48f14a6c2cb425da1aa3b9df482264c37cd4000bdad99bc
SH256 hash:
cd762a88c2abde591ec9d8a08b0d5d294d942a28085c88b47711e3650560a855
MD5 hash:
b32321503e273118774201c42a5b185f
SHA1 hash:
1d08f10d5f775a53a4b6d8f6a5547af1a279a002
Link:
https://www.unpac.me/results/6db6078e-f503-4342-a224-5de27e3abfc5/
SH256 hash:
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
MD5 hash:
21fd2a38a381a5ffb302eee3427b7999
SHA1 hash:
afa1eace436c9bec6167c75e4e7e79e48e87b004
Link:
https://www.unpac.me/results/6db6078e-f503-4342-a224-5de27e3abfc5/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca8b74d4dc1f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2479238/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2485583/

Comments