MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad
SHA3-384 hash: b64a14aae4e58ea869a4cb9d0e1b13305da1cc02c0709602fc542d9630c842ddf5616b05981619bec2219c4272ad38a9
SHA1 hash: 07d6cb638f66ae84ec8e00d30d0a4cbb7bf3e323
MD5 hash: fc49185c7b22693cff35567cbd7feeec
humanhash: lima-lima-nineteen-saturn
File name:fc49185c7b22693cff35567cbd7feeec.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:414'720 bytes
First seen:2023-02-06 09:46:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 13dc564127b9f6b618808536c7e12f68 (12 x Smoke Loader, 12 x Tofsee, 9 x RedLineStealer)
ssdeep 6144:IFpLzfvq1+QSZLKEXbuHwPGLJvK1Lrov5ThR1uk6oX:IvnS1+QSZLLRPAS5m9R1r/
Threatray 14'482 similar samples on MalwareBazaar
TLSH T19194AE03E7F17C66E61687729E1EC7E8758EF5508E597769121CCE2F18B01B2C7A3228
TrID 38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 048880080c04a040 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d249cba6a7e2a1733fc5cf789ebfdca9.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 09:54:30 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/e6f69cf6-6195-47a4-a2b1-b8d69122ae48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360766/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63e0cc5e96add6d1cf49c4e2/reports/e2913f51-04e3-46b6-b37c-9745cb4c333c/overview
Verdict:
Malicious
Labled as:
Ransom.788A61AA
Link:
https://www.hybrid-analysis.com/sample/caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cebfe19b-88b4-4af0-a362-b635157f2a2d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166452
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 09:47:06 UTC
File Type:
PE (Exe)
Extracted files:
81
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zl2rxpbgicfa3hr3ermvwayy4eultpeyzzyt7kjw765k32tkgowq._file
Verdict:
malicious
Similar samples:
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
RedLineStealer
8f3216bf4138af68094d497d8dbf97ca09be75b8f43813d838fa89a39b532e4f
RedLineStealer
9dc555f3f656cd15f7a7a41d3b44050c1df4d51159825c0a023016545a05b024
RedLineStealer
a47f63687886345a020234f5783fb22b7eb8cdfd1636b4a7396971f82b19b341
RedLineStealer
b28761dcebdb2388cbe68dde67065b717b2e9bc1e062ff1c68780ca5faa20e73
RedLineStealer
b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
RedLineStealer
dde4ae84602bcca68bf6f0083019a27aa8768876d149a96cca059652d5c99151
RedLineStealer
ebd46441b3e3a1c1e64d6b0952dacb9bcdd896bb95c8a62bc3a4028a58b1573c
RedLineStealer
f061e1d95993dcfc7489306d19cb91a60d2026f9707c167be6c1dc2da7a32e9a
RedLineStealer
f465bc20dc2940cea44fba3ddd73fc997bd41e7be8d85151d9f1f75b27f61dbc
RedLineStealer
+ 14'472 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:zaur discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230206-lrmgqage7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
62.204.41.170:4172
Unpacked files
SH256 hash:
2a62ac253b6cd959b7131d37268d99bc515a09343e985cebda911d403bbf224e
MD5 hash:
314b2f270faf2d3af32447d1a19e873e
SHA1 hash:
88228152e3351a0cb3906e610fe05787ce814d7c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8eb3e8f3-4c10-47f7-800b-d4bb606eef81/
Parent samples :
e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca
103f1c25aaac16c39aca36ca629b1ab3b1226170753074ae924f27c0326aff1b
d52ccdf8ff0f75d337167b63b736c3a908c48caf6bbd39a2434e0baac41eef6f
7becab35b4300ad3c0be8e7dc12f311b140cb8a7b5338e0102fcf6f71c97157d
15019e74fe93e132d60d4f7fa7f2b23967c6bf0675936c0874117663067f8874
1498389b39bb5db52d583bc40f9e021934d53bbf8b363809ca0d4e58f9ba30ef
fcc8a1cd9b32433a8735fae44718bc36b2ea00b96df212c9d63186031d7af10d
ebd46441b3e3a1c1e64d6b0952dacb9bcdd896bb95c8a62bc3a4028a58b1573c
caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad
0e36e23f795621dce7b398b59cbb4db16683da88e133210f1bb17879b1dc94a6
SH256 hash:
2bea5697de809ccf492aa11315b9e5cbca8f6b478b7bdc518a90289eac27ea58
MD5 hash:
a4e324d41c32fd96abf9b1120fd06337
SHA1 hash:
1a06765964d3802ece0b6f1c4c73d6d2b33d1296
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8eb3e8f3-4c10-47f7-800b-d4bb606eef81/
Parent samples :
103f1c25aaac16c39aca36ca629b1ab3b1226170753074ae924f27c0326aff1b
caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad
SH256 hash:
7e39c951b6d469fa7e68bdcae3bfd9a98ad100a2b2db55dae88e71640823f65e
MD5 hash:
685932fb80294b302dd6b0910f692421
SHA1 hash:
02193d6758faa9808ef2e5b5e8d96665906d77ba
Link:
https://www.unpac.me/results/8eb3e8f3-4c10-47f7-800b-d4bb606eef81/
SH256 hash:
caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad
MD5 hash:
fc49185c7b22693cff35567cbd7feeec
SHA1 hash:
07d6cb638f66ae84ec8e00d30d0a4cbb7bf3e323
Link:
https://www.unpac.me/results/8eb3e8f3-4c10-47f7-800b-d4bb606eef81/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/caf51bbc2640/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2528642/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2529227/
Cape
Cape
https://www.capesandbox.com/analysis/360766/

Comments