MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d62f79000ab498b04dc5ae8809a43af49b35e2bf5d42a2fb1d192c545911d7c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	d62f79000ab498b04dc5ae8809a43af49b35e2bf5d42a2fb1d192c545911d7c7
SHA3-384 hash:	e9ac2124b60915b319064c9afb9a6461e7e30ebb331d02e9ad4b9b4e8decd18a95cf5f39fe80f140572b72996ca4439a
SHA1 hash:	edad39e8f2b0a86add8417a23b2fb7a056e8f7b3
MD5 hash:	1a3bccc9fbb9d14acdcc00d3594664be
humanhash:	black-sodium-quebec-ceiling
File name:	1a3bccc9fbb9d14acdcc00d3594664be.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	297'984 bytes
First seen:	2021-07-16 08:26:08 UTC
Last seen:	2021-07-16 08:42:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	54ed5ee2b1a666f990a66a9d9110b9b8 (2 x ArkeiStealer, 1 x RedLineStealer)
ssdeep	3072:RABFXYbnjHemoIkiNxuKDR+78r9T6QNx1XNm2RLK0Lt75+thuCQ4gdHT39E:RGMjHemfLNxD4UJPXNJRLWebHVT3O
Threatray	1'175 similar samples on MalwareBazaar
TLSH	T1AC54D0217EB0D433C6E3E9314474CBA42A7BB822D574B48E2353EB6E4E712D2B169747
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1a3bccc9fbb9d14acdcc00d3594664be.exe

Verdict:

Malicious activity

Analysis date:

2021-07-16 08:29:36 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/b356fb03-d8fa-4bde-94bd-7e1129f43839

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/172139/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46632189.2757.9803.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0fba71a4-c29f-4807-abed-82cc86a64d56

Result

Threat name:

Ficker Stealer RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/817367

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Ficker Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d62f79000ab498b04dc5ae8809a43af49b35e2bf5d42a2fb1d192c545911d7c7/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-15 21:06:26 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2yxxsaakwsmlatofv2eatjb26sntlyv7lvbkf6y5dewfiwir27dq._file

Verdict:

malicious

RedLineStealer

2e492cb7c8adba1e0e44b44c212802c8e891f0300d93060691e39f4f986da044

RedLineStealer

4c8d1a1d118384df23575d4421f573f9b97d984b295083b329a8ee08709dcfce

RedLineStealer

857b888bb465ce55999892cc1deaa9fdacc767b9b69439c266acce7a05e8ce47

RedLineStealer

8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f

RedLineStealer

9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725

RedLineStealer

a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b

RedLineStealer

ad4fdfae7fcaa4464c67695dc43ba48ae0aa1209db04c92f5a4d11e2976895e4

RedLineStealer

b7a6bff8d1d5a3b1d323f949fa92bcd757e3c677de7f73da08cb7a1fba159ba3

RedLineStealer

b9f38162b58c91e8c2ad110219cc67d146ac17e81793d9179aca614037b2fb14

RedLineStealer

+ 1'165 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:updt01 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210716-b53gs4lfre/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

176.111.174.254:56328

Unpacked files

SH256 hash:

85db84b301f430b014faa278bbff2d5f2f1c47764034835655822a96964ce093

MD5 hash:

7e21fc3519313c97a6367b69851b557c

SHA1 hash:

cf238dfefb6817390bc8552a127d2573ce18760a

Link:

https://www.unpac.me/results/8aa8f171-756a-45a8-b55c-a61c13acdeb3/

SH256 hash:

80ef10ed7e19a4802db48da10a9a79d8b857c33ac552a57346d85354b117aeba

MD5 hash:

b618e3761d5dc9a2cae05ed212e0c2e7

SHA1 hash:

5774f271a4ace5c2d8f7a61468493eecf03e1fb8

Link:

https://www.unpac.me/results/8aa8f171-756a-45a8-b55c-a61c13acdeb3/

SH256 hash:

1cad4971995dad7632a1e2a29e3caf6bd5a88163b2f2104b4d0951558624904d

MD5 hash:

c58a92f40f71cbf011ca9c8c7cd30d0f

SHA1 hash:

225437c9dbb75718ba802833479abab157cb26ea

Link:

https://www.unpac.me/results/8aa8f171-756a-45a8-b55c-a61c13acdeb3/

SH256 hash:

d62f79000ab498b04dc5ae8809a43af49b35e2bf5d42a2fb1d192c545911d7c7

MD5 hash:

1a3bccc9fbb9d14acdcc00d3594664be

SHA1 hash:

edad39e8f2b0a86add8417a23b2fb7a056e8f7b3

Link:

https://www.unpac.me/results/8aa8f171-756a-45a8-b55c-a61c13acdeb3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d62f79000ab498b04dc5ae8809a43af49b35e2bf5d42a2fb1d192c545911d7c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe d62f79000ab498b04dc5ae8809a43af49b35e2bf5d42a2fb1d192c545911d7c7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1456640/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/172139/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample