MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec4d2c37d638ce4e6ae1053a1429e40cd5ad55c4821dc4959ddc09b9c6d06ffc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec4d2c37d638ce4e6ae1053a1429e40cd5ad55c4821dc4959ddc09b9c6d06ffc
SHA3-384 hash: a20b7667e41face0226a49f7f916b3490c6979f7adebf6187ad04473450a6e6fc6c4f111cb2e44eb08f368210e39b62c
SHA1 hash: 8fea588488eade0fb7f53c29a1cc0bf1b06c6ce0
MD5 hash: f3cf8f5fb6694a2facf07326cc1df2ce
humanhash: steak-idaho-coffee-lactose
File name:f3cf8f5fb6694a2facf07326cc1df2ce
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:346'112 bytes
First seen:2021-07-24 19:37:16 UTC
Last seen:2021-07-24 21:44:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a06df199bc5c29ff1f7c13754059d5f1 (2 x RedLineStealer, 1 x CryptBot, 1 x DanaBot)
ssdeep 6144:CPmWEG5XNQbKfBIJKsjnwd4PMBPAnpQx5AH:CPmoXK+GJxjnw6MBPAi
Threatray 1'268 similar samples on MalwareBazaar
TLSH T18A74D050F6B0DC32C094097404EAC1A4673CAC21BA75DE077B67BB6F6E712D125AA36F
dhash icon 48b9b2b0e8c38c90 (6 x Smoke Loader, 5 x RedLineStealer, 3 x CryptBot)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.56.146.60:51431 https://threatfox.abuse.ch/ioc/162770/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f3cf8f5fb6694a2facf07326cc1df2ce
Verdict:
Malicious activity
Analysis date:
2021-07-24 19:39:59 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/043b8c97-0aed-47e2-b40c-c34d572ec244

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173944/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.17377.2777.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cacc5ceb-052d-4207-b804-840506260208
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821307
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec4d2c37d638ce4e6ae1053a1429e40cd5ad55c4821dc4959ddc09b9c6d06ffc/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-24 19:38:05 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rgsyn6whdhe42xbau5bikpebtk22voeqio4jfm53qe3trwqn76a._file
Verdict:
malicious
Similar samples:
0e6e597383b3917fdb2f4d9ea0ad8ecf41210fdbb8161cb0b3b542252381b8bf
RedLineStealer
2e492cb7c8adba1e0e44b44c212802c8e891f0300d93060691e39f4f986da044
RedLineStealer
311aee74d6810d5ae6957934a52fffa7b9689b8bacca0407bbdf309f77c84e6d
RedLineStealer
3843b1474c45fdab01bbca281796e5a9ced3206bfbda80ca8d184741612ec9c3
RedLineStealer
4c8d1a1d118384df23575d4421f573f9b97d984b295083b329a8ee08709dcfce
RedLineStealer
8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f
RedLineStealer
9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725
RedLineStealer
a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b
RedLineStealer
b9f38162b58c91e8c2ad110219cc67d146ac17e81793d9179aca614037b2fb14
RedLineStealer
d62f79000ab498b04dc5ae8809a43af49b35e2bf5d42a2fb1d192c545911d7c7
RedLineStealer
+ 1'258 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210724-aew4jz3kf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.56.146.60:51431
Unpacked files
SH256 hash:
867851633b0a747e1fa0d99095e980fd72b41aa9c40569cb3350b0a04ea55aec
MD5 hash:
50e805954f9fc67755de4d74039694b8
SHA1 hash:
4ce539515d2d188617f2e1c81dc5f10d43a907f0
Link:
https://www.unpac.me/results/6c0b6424-1f68-48fd-a44c-660d75c33708/
SH256 hash:
73f3de9070adbc05752a26d378e2a5eecca51b99fbdcdf377ac325e1d0d95035
MD5 hash:
24afa0fb68f6942c019405843970b49c
SHA1 hash:
41900e84e2a62cc0b050663c9d32b48b411cd6a3
Link:
https://www.unpac.me/results/6c0b6424-1f68-48fd-a44c-660d75c33708/
SH256 hash:
70f65cb8ed306db0b9b3201dd96339419082f8db98e9b89edb8b9e7c5d2787f4
MD5 hash:
d38b5ea76895344bf9e95e2c0624e4d8
SHA1 hash:
0aefd8bd6bfc6db66bbd41c7c54f9420d6c1559a
Link:
https://www.unpac.me/results/6c0b6424-1f68-48fd-a44c-660d75c33708/
SH256 hash:
ec4d2c37d638ce4e6ae1053a1429e40cd5ad55c4821dc4959ddc09b9c6d06ffc
MD5 hash:
f3cf8f5fb6694a2facf07326cc1df2ce
SHA1 hash:
8fea588488eade0fb7f53c29a1cc0bf1b06c6ce0
Link:
https://www.unpac.me/results/6c0b6424-1f68-48fd-a44c-660d75c33708/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec4d2c37d638ce4e6ae1053a1429e40cd5ad55c4821dc4959ddc09b9c6d06ffc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ec4d2c37d638ce4e6ae1053a1429e40cd5ad55c4821dc4959ddc09b9c6d06ffc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1478748/
Cape
Cape
https://www.capesandbox.com/analysis/173944/

Comments


Avatar
zbet commented on 2021-07-24 19:37:17 UTC

url : hxxp://37.0.11.8/WW/file4.exe