MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f07c88a523790b6109b9bdb9531b7d9f7c0c314f8b8c712b85ab81609da9c2e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	f07c88a523790b6109b9bdb9531b7d9f7c0c314f8b8c712b85ab81609da9c2e8
SHA3-384 hash:	b19d5f9aa19bb0ce000cc704db8d617b3c4feefc121f31e2bc746582c6f52b486f82f89edf12e3bb6117233a620a2080
SHA1 hash:	cfc12e06309c0bd22c536bf56e7d21ed040eea90
MD5 hash:	e630aa3ed8a699e7bf41ad58988baa99
humanhash:	monkey-california-georgia-speaker
File name:	f07c88a523790b6109b9bdb9531b7d9f7c0c314f8b8c7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	238'080 bytes
First seen:	2021-09-28 05:32:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f98cc9327e2d65cc6189a693f26e1c1d (5 x ArkeiStealer, 4 x RaccoonStealer, 3 x RedLineStealer)
ssdeep	3072:iZnhJyiY/EU72MPoOLtxvkQufcM7Yr0lD8ONRSbWUZuqfP3+xEu5z:iRTRU6gtLXvAPYr097gqqfM9t
Threatray	6'300 similar samples on MalwareBazaar
TLSH	T12834F13138A0F472DB4389F54915D2D2127EBA322BA1967B339C5BBF0E712D0D63A356
File icon (PE):
dhash icon	b0a2b0a4f4f0ecb0 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.173.39.234:36881

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.173.39.234:36881	https://threatfox.abuse.ch/ioc/227271/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

zukuluti.pdf

Verdict:

Malicious activity

Analysis date:

2021-09-28 00:16:50 UTC

Tags:

evasion trojan opendir loader rat redline stealer vidar autoit 1xxbot

Link:

https://app.any.run/tasks/5808144f-752d-45a5-900a-d8841830d544

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/192315/

Detection(s):

Win.Packed.Generic-9897371-0

Win.Packed.Generic-9897389-0

Win.Packed.Generic-9897397-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Launching a service

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b15991f3-3d4d-4e0d-b4ce-4e95355523ff

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/859496

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f07c88a523790b6109b9bdb9531b7d9f7c0c314f8b8c712b85ab81609da9c2e8/

Threat name:

Win32.Trojan.Racealer

Status:

Malicious

First seen:

2021-09-27 20:59:50 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6b6irjjdpefwccnzxw4vgg35t56aymkproghck4fvoawbhnjylua._file

Verdict:

malicious

RedLineStealer

09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49

RedLineStealer

0ed83aa95f87e65e843b791c92419d0c1d34e5b01cc0be01715009f679ddc220

RedLineStealer

121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

RedLineStealer

24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52

RedLineStealer

7e03d54dd8c4e44a61d57fdec5d9a90c2d76d3a2fdc7d197502ddd0ccf269c95

RedLineStealer

b821da19f3f294e14b95e0a9c2b2926fbac983986494e81278ba4d3b7c5502a4

RedLineStealer

cb5212fffc4faf8a5d31adb628663cd1737325422354ed7a1c75b93298a47f1e

RedLineStealer

e28922e1df7dabbd61838c7d0d9deaa0c1cd897620fa3988f43fb99d28bafd90

RedLineStealer

+ 6'290 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:#proliv3 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210928-f8wttsafgl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.173.39.234:36881

Unpacked files

SH256 hash:

dca602f7fdead058f8eb9ef803e517c3924f1bf108ca7fb05c4c78f5ecd4dd8a

MD5 hash:

1bdb69ca513dad6e3ad10ab19895cccd

SHA1 hash:

e99e6318de85a3187d7c6130b2ebc37c493a0940

Link:

https://www.unpac.me/results/f5c976ee-b40c-4b75-8663-49629bc65296/

SH256 hash:

90e1f3a9073a8f47da1dd7ac25ceaec6e5a4f73f2b021a2d51314ba29cb44da7

MD5 hash:

8aca8f86c2d5fad69e3bbd0c5a5563de

SHA1 hash:

809acc93725c75af2b1083583928b0a1349b42da

Link:

https://www.unpac.me/results/f5c976ee-b40c-4b75-8663-49629bc65296/

SH256 hash:

3c56e7f0ab108f2c881fbb1d4a65b310e3f4ba2c32896bce1a1135b86fb161b7

MD5 hash:

e244658a2e5708859947db5af8069913

SHA1 hash:

6264c847578bc740377f999ebfbdf1157eac38aa

Link:

https://www.unpac.me/results/f5c976ee-b40c-4b75-8663-49629bc65296/

SH256 hash:

f07c88a523790b6109b9bdb9531b7d9f7c0c314f8b8c712b85ab81609da9c2e8

MD5 hash:

e630aa3ed8a699e7bf41ad58988baa99

SHA1 hash:

cfc12e06309c0bd22c536bf56e7d21ed040eea90

Link:

https://www.unpac.me/results/f5c976ee-b40c-4b75-8663-49629bc65296/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f07c88a52379/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f07c88a523790b6109b9bdb9531b7d9f7c0c314f8b8c712b85ab81609da9c2e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/192315/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample