MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb
SHA3-384 hash: a6ffa352cd64090526e71a758e4d31de1e52e1fc966725c59a94881952fc21e521018e770a7d608ecf1d03dbf0a26d70
SHA1 hash: 5df754fada6bff50db52acc97b02d388c52a498b
MD5 hash: f65bbd4510c7bef492297e27b649e759
humanhash: queen-crazy-winner-washington
File name:f65bbd4510c7bef492297e27b649e759
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'131'696 bytes
First seen:2021-11-28 11:21:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1a264d655b87762021d55c982bf8951 (1 x RedLineStealer)
ssdeep 24576:K/3B/Xs2ty+Cv/GQr4sMizmtVQiyqW/mAtrcrUHb5OglUicv:K/3B/Xs2QX/GQrJMLV2qAmAJ7Hkpv
Threatray 360 similar samples on MalwareBazaar
TLSH T1FF35017723C6A28ECFB35EB0E5680B118E29EC332532547C61A0A567CC74E7A5D6B734
File icon (PE):PE icon
dhash icon ccb2dc9696dcbaf4 (2 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f65bbd4510c7bef492297e27b649e759
Verdict:
Malicious activity
Analysis date:
2021-11-28 11:24:18 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/bc3e1b3c-3afe-4fd9-b5d1-4732d4e9ab44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38132741.11682.5471.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a3665dbbfd2af97cb73f7f/reports/58cc2623-1aab-4225-b3ed-486cf2b7818b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/244f5f7c-b904-4667-a148-c7380e1005f3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/897357
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-11-27 15:59:04 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=65rizdlzlfge4kqkempzrxzri5jsa24stdu4ns33lcjxjwyzftnq._file
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
RedLineStealer
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
RedLineStealer
4a2c3f7e489652350d3fd9df4259c52e2a9be9eb507d011779079d1e57e0301d
RedLineStealer
4ff85ed4a6ed753731533acba81fb31b38923cea1eff55ea524b1a7cbc48bc3b
RedLineStealer
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
RedLineStealer
833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2
RedLineStealer
b37e87a30c379dd3d84b2f9b5819cb32335d7230156d3ea01a7309502e9e6d0d
RedLineStealer
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
RedLineStealer
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
RedLineStealer
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
RedLineStealer
+ 350 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:mimikatz family:redline family:xmrig discovery infostealer miner spyware stealer
Link:
https://tria.ge/reports/211128-ngkw9acdb8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
mimikatz is an open source tool to dump credentials on Windows
Mimikatz
RedLine
RedLine Payload
xmrig
Unpacked files
SH256 hash:
af56de55779186df0cd17a25ecbb1411d4c2350be542d6f8c41a411f29ee6ec2
MD5 hash:
a0683eaa15a56947034e17834692a5ae
SHA1 hash:
dcccb52c72044a2f28cebe9f30a28545cf7055a8
Link:
https://www.unpac.me/results/6a26426d-1552-451f-9f5f-6884b1f24017/
SH256 hash:
f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb
MD5 hash:
f65bbd4510c7bef492297e27b649e759
SHA1 hash:
5df754fada6bff50db52acc97b02d388c52a498b
Link:
https://www.unpac.me/results/6a26426d-1552-451f-9f5f-6884b1f24017/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f7628c8d7959/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1828081/

Comments


Avatar
zbet commented on 2021-11-28 11:21:58 UTC

url : hxxp://coin-coin-coin-2.com/files/1118_1638012382_3369.exe