MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7529359cf5f9d0cd7302e66fb9b121e1cc8763cae1d1d5ac278a4a0651f9ba7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7529359cf5f9d0cd7302e66fb9b121e1cc8763cae1d1d5ac278a4a0651f9ba7
SHA3-384 hash: 61fa834d42c29c754d0cf6f18baeed36f53171ce178c07a888cefdba4156d8ace8a177d309cf80510aac607d084e53d4
SHA1 hash: a2fa147e0f5b10e279939be8960a60f9cc661ad8
MD5 hash: 60b69396f30ba55f791bef097e8ae127
humanhash: low-seventeen-jig-wisconsin
File name:60b69396f30ba55f791bef097e8ae127.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:263'936 bytes
First seen:2021-08-28 16:22:38 UTC
Last seen:2021-08-28 17:18:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e0bb80ced2d421c88737de82cded0ea (1 x RedLineStealer, 1 x Smoke Loader, 1 x RaccoonStealer)
ssdeep 3072:v/FpkbkdYUWLcG2FSppsoXIo3zI9b0c8ZkEt9jId9GBOeGOdE5GNzBsI5/DuT61A:X39YUlxpo3zGMkE3jtGWvsI5/A/V1
Threatray 5'175 similar samples on MalwareBazaar
TLSH T1E644F015B6B1CC73C5D7097448A8C2A96A673A22AAB0CADB3F49477F3E213C1472D357
dhash icon 1042e6faf2e47819 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://shy-art-b189.smartmirror.workers.dev/0://not%20virus.EXE
Verdict:
Malicious activity
Analysis date:
2021-08-28 11:41:59 UTC
Tags:
trojan rat redline stealer vidar evasion loader opendir
Link:
https://app.any.run/tasks/dce56485-cb0d-42d2-a5f6-2a6c87332933

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183072/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.11018.23358.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa4e0bf5-21ae-418e-89a5-213d3a87cf13
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/840788
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7529359cf5f9d0cd7302e66fb9b121e1cc8763cae1d1d5ac278a4a0651f9ba7/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 11:40:56 UTC
AV detection:
15 of 25 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45jjgwopl6oqzvzqfztpxgysdyomq5r4vyor2wwcpcskazi7totq._file
Verdict:
malicious
Similar samples:
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52
RedLineStealer
4023763ad7b1f3cae1395dcfbfb15317c006526c355914ecf7d8506696e3b1ce
RedLineStealer
6ad1cf3b42e1c571f6a7a402ad29e289ea119a6929345660a98e2786a3ddace4
RedLineStealer
81a962862c3c796af1b94b1674698aa15a3c0f4abcb86e0ac23a810c4d4fc0e9
RedLineStealer
8498f560c45b7d2db3427aaf5a481a4e584a1aa8f59767147e895b60e08286cf
RedLineStealer
9fc6a1f5c853cfcef7ae729ea18996cdcf63eeba1391f3c33cbf8caf856fc4ef
RedLineStealer
ebfe4a01a842ddcf434e44a288773454c4c5c35602a5fba3a31e47ff010a1314
RedLineStealer
+ 5'165 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:build3 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210828-nyzk3g6n8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
65.108.48.203:48896
Unpacked files
SH256 hash:
69062ef5945161e05d89292d9c7da3a648a80aa5dbfc237c0f917bf9fde6fe22
MD5 hash:
3df2e8c222598b1769b96fd989a0d35b
SHA1 hash:
d036249639dc6c9b845dd8acba8949f942184674
Link:
https://www.unpac.me/results/0a6dd032-6fee-432b-91b8-c48f5f15e376/
SH256 hash:
14abcec44a22801b1d3e3fdd6e85256a78236a8747fed33132f663d61416f618
MD5 hash:
9b595be385d24c9a9484d9e6a60779c1
SHA1 hash:
b36a7c4ea16d5678da34aa1f73094859dc33406a
Link:
https://www.unpac.me/results/0a6dd032-6fee-432b-91b8-c48f5f15e376/
SH256 hash:
87ebd3260466f1cd2a932bdf151150ee2f49bcdc8459113521754de14561a9fe
MD5 hash:
800c25865a11fcba00662ba73d82204c
SHA1 hash:
8f25df0e29ba06fdc07b930afd8c7927b6997212
Link:
https://www.unpac.me/results/0a6dd032-6fee-432b-91b8-c48f5f15e376/
SH256 hash:
e7529359cf5f9d0cd7302e66fb9b121e1cc8763cae1d1d5ac278a4a0651f9ba7
MD5 hash:
60b69396f30ba55f791bef097e8ae127
SHA1 hash:
a2fa147e0f5b10e279939be8960a60f9cc661ad8
Link:
https://www.unpac.me/results/0a6dd032-6fee-432b-91b8-c48f5f15e376/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e7529359cf5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e7529359cf5f9d0cd7302e66fb9b121e1cc8763cae1d1d5ac278a4a0651f9ba7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e7529359cf5f9d0cd7302e66fb9b121e1cc8763cae1d1d5ac278a4a0651f9ba7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549207/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183072/

Comments