MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dca7dfca9a2d0c5dd7677e1491a2fd5c0e0c2f82026b7590f691561cb30cbd58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	dca7dfca9a2d0c5dd7677e1491a2fd5c0e0c2f82026b7590f691561cb30cbd58
SHA3-384 hash:	86c710e9a8df59f8bf72f691772084672938fdd6dd7ea0b2d4e843e4c8fd68ca693ec92a2203cc8a349b31f8f5b158fa
SHA1 hash:	4f00f0e2ddebac541d0b432e46fb33a02bf9dc71
MD5 hash:	a5d729556f83f07a15656b7f0a8ce37f
humanhash:	mexico-fix-cat-lemon
File name:	a5d729556f83f07a15656b7f0a8ce37f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	440'832 bytes
First seen:	2021-10-01 09:22:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5a793c1af998657d8cb142c6b1ce3fb8 (1 x RedLineStealer)
ssdeep	12288:FKf89ic78ix+yFxV6L+N1ltWNV7fVnk63H/Ny:FH8biRr/PWvRPVy
Threatray	1'487 similar samples on MalwareBazaar
TLSH	T127942343E1521E54D4220F71FDDD22EA38F2124A9B767A4384A376CCF94FE42D99D178
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.82.126.114:31858

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.82.126.114:31858	https://threatfox.abuse.ch/ioc/229414/

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://mega.nz/file/uAkWgDAT#fPHeXy3e_lFkYq4BeMfWCEMAl7jTsJUHW9BBm4qZO-U

Verdict:

Malicious activity

Analysis date:

2021-09-25 09:16:19 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/607bda78-5c92-4ce0-ba0f-bde5a26be5bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/193948/

Detection(s):

Win.Malware.Doina-9896923-0

Result

Verdict:

Clean

Maliciousness:

Malware family:

Ryuk

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/369a3b10-f567-4612-839b-8d88465f2f1e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862617

Signature

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dca7dfca9a2d0c5dd7677e1491a2fd5c0e0c2f82026b7590f691561cb30cbd58/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-30 11:28:00 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3st57su2fugf3v3hpykjdix5lqhayl4cajvxlehwsflbzmymxvma._file

Verdict:

malicious

Label(s):

ryuk

RedLineStealer

25149614d2732a9db3e86ee490064f943cef5747b19d937d2f3cc2d7e13d29b7

RedLineStealer

254a6fba99bc343cff7fd8f52f147a15db60287f378bddbf146e528a31c83285

RedLineStealer

5e00970284b92c69f71325179e2f9a3cb40493c3b53efd997af571f0effacfd9

RedLineStealer

5f6faf0507fca9db0b364b6d4718b24eb3880054ecace3207de384e8037852b2

RedLineStealer

63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab

RedLineStealer

678f03e1574817fdf555ebe8701534034315d008addfb0dd7aac8fd35d17e855

RedLineStealer

9ea4469f78d2953c8061672f6c7630a9728b42944e37be3e30bc6774812af88a

RedLineStealer

c0da5841ddfc29dc9eea7d8d9e42d981385602f21025ec47798d302c3ef50096

RedLineStealer

d158afc32c31573efe9e0d25404b94a2ebf29e8abe352d67e9e7b2378028bd6b

RedLineStealer

+ 1'477 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@kissyt infostealer spyware

Link:

https://tria.ge/reports/211001-lcf2dsbde2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.82.126.114:31858

Unpacked files

SH256 hash:

bd7380cfb6d3d8e4043a5d24aad0fd37c684a1cbe1f406dbb42744106c935e69

MD5 hash:

a5276a34ee1f1168a8fb1a90b4829d4f

SHA1 hash:

eda33b7b075554bcd9ccef5b9039b5aea2f8bf35

Link:

https://www.unpac.me/results/dc0dd083-8400-48ca-821f-43ce6c79a776/

SH256 hash:

f044c6927dbcd29ed3755376a6d650036f535cf6a8f9799603cccdea788df61e

MD5 hash:

6c66612a31ce1852602273520f032d67

SHA1 hash:

0ae324912e92e0e8245d80c8e387d9cc3f4e1fff

Link:

https://www.unpac.me/results/dc0dd083-8400-48ca-821f-43ce6c79a776/

SH256 hash:

dca7dfca9a2d0c5dd7677e1491a2fd5c0e0c2f82026b7590f691561cb30cbd58

MD5 hash:

a5d729556f83f07a15656b7f0a8ce37f

SHA1 hash:

4f00f0e2ddebac541d0b432e46fb33a02bf9dc71

Link:

https://www.unpac.me/results/dc0dd083-8400-48ca-821f-43ce6c79a776/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/dca7dfca9a2d0c5dd7677e1491a2fd5c0e0c2f82026b7590f691561cb30cbd58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193948/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample