MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd150019713c9fc025c9cdfffbbc44d92068df6e8455e52624a47f55fa70a2da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd150019713c9fc025c9cdfffbbc44d92068df6e8455e52624a47f55fa70a2da
SHA3-384 hash: d0a79c6a9c5f13a7ad0d34bf835a59bbeee996d2d2521bb12b44ba120b150046ecc96c12c5e46a9ba6ad33ebd7eb0bf8
SHA1 hash: 60d23eec15e5e4f0b5106da2196a38904529c449
MD5 hash: a22a45b46431cc5aed22ca537f59a801
humanhash: stairway-alpha-venus-hamper
File name:autoplay.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'617'143 bytes
First seen:2022-07-30 13:42:36 UTC
Last seen:2022-07-30 15:14:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:qlLf9Hqq3YPYbW0qGm0MN9drKnkiN9beSfpBieb5LxZ/Lv4Qyl3RuQ55313r:qlJqIlPesVb5LxZ/Ml3x
Threatray 261 similar samples on MalwareBazaar
TLSH T134C51A135A8B0E75DDD23BB461CB633AA734ED30CA3A9B7FB608C43959532C56C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tech_skeech
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.160:8673 https://threatfox.abuse.ch/ioc/840342/

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295223/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.32450.5257.15447.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27809/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay redline spyeye
Link:
https://www.filescan.io/uploads/62e535a2bcf76fcb6cd1391a/reports/ad3c2b1b-0367-4598-b87c-d57bbb5e7a5b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/beb99510-f762-4526-8842-e8d36f7c8df5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043510
Signature
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd150019713c9fc025c9cdfffbbc44d92068df6e8455e52624a47f55fa70a2da/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-07-30 13:43:11 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zukqaglrhsp4ajojzx77xpce3eqgrx3oqrk6kjreur7vl6tqulna._file
Verdict:
malicious
Similar samples:
1576f4c2f31463121911c10c5bdfbe676eed69c510718d422ba2d2f0550b0012
RedLineStealer
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
RedLineStealer
6e5c9c412179a461e72c92c7761980a9b85f7eb09a36157bf2d4fecdf673887d
RedLineStealer
e0ff8d0d8988b4804a0442c0185f5e200849ad725a301678af8fd2c3ac81182c
RedLineStealer
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
RedLineStealer
e97c06fddcb4bc7c94855da7044d64d45f3b9eba58e58a79b75f0bb57629a194
RedLineStealer
+ 251 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
5eac499366428d26046abb3790bbf9bc07920b04eca8af1de066e395ff6a7b1d
MD5 hash:
de115a075ac72d80f65c1818b9b4f2cf
SHA1 hash:
e1e79e3dbb6070fbb6400cb36c02a49757bcdc97
Link:
https://www.unpac.me/results/68f3fa6b-59e4-48d2-a382-9c1c8cce362d/
SH256 hash:
cd150019713c9fc025c9cdfffbbc44d92068df6e8455e52624a47f55fa70a2da
MD5 hash:
a22a45b46431cc5aed22ca537f59a801
SHA1 hash:
60d23eec15e5e4f0b5106da2196a38904529c449
Link:
https://www.unpac.me/results/68f3fa6b-59e4-48d2-a382-9c1c8cce362d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd150019713c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd150019713c9fc025c9cdfffbbc44d92068df6e8455e52624a47f55fa70a2da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cd150019713c9fc025c9cdfffbbc44d92068df6e8455e52624a47f55fa70a2da

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295223/

Comments