MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7ae50188329b933852d2d16d00940eb357455de728912b1201af138dc502ece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7ae50188329b933852d2d16d00940eb357455de728912b1201af138dc502ece
SHA3-384 hash: 679d6dd31b2df098d561f25bed54e9ae94793f4b0886097c5b103fffd50bd7ac41458ded176525f72f71aaac29d58e7d
SHA1 hash: 2d2707eec00b8be89a620d90815cd706b0fb4a9b
MD5 hash: 7b79646bd81cb36a7a6e805cad70679f
humanhash: delaware-triple-montana-november
File name:7B79646BD81CB36A7A6E805CAD70679F.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'427'096 bytes
First seen:2021-06-07 05:41:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:j5+hFd6ZRXr+9O1Y18J3IOvCYLF3lf4BauOshri16xiz8lVHTIioOFZQ+v:j5aFdCXC/18xIO5Ldlf4YuOAriQxiqZT
Threatray 236 similar samples on MalwareBazaar
TLSH C0B533216EDD44FBCA5AB6701C587B125EEAF364074892CFA3E019563D113C2CBFD1AA
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.87.215.187:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.87.215.187:80 https://threatfox.abuse.ch/ioc/72132/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7B79646BD81CB36A7A6E805CAD70679F.exe
Verdict:
No threats detected
Analysis date:
2021-06-07 06:04:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/70cfa569-6bf9-4f31-85a8-8b306ac2d0f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164836/
Detection(s):
Win.Malware.Bulz-9866401-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Enabling the 'hidden' option for files in the %temp% directory
DNS request
Connection attempt
Sending a UDP request
Sending an HTTP POST request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/797902
Signature
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 430298 Sample: jsoMTj8fER.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 84 30 matjiva.top 2->30 34 Found malware configuration 2->34 36 Antivirus detection for dropped file 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 2 other signatures 2->40 8 jsoMTj8fER.exe 7 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 8->28 dropped 42 Contains functionality to register a low level keyboard hook 8->42 12 cmd.exe 2 8->12         started        signatures6 process7 process8 14 @batynshnaps.exe 15 2 12->14         started        17 7z.exe 2 12->17         started        20 7z.exe 3 12->20         started        22 6 other processes 12->22 dnsIp9 32 matjiva.top 195.245.239.250, 49731, 49769, 80 ASBAXETNRU unknown 14->32 24 C:\Users\user\AppData\...\@batynshnaps.exe, PE32 17->24 dropped file10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7ae50188329b933852d2d16d00940eb357455de728912b1201af138dc502ece/
Threat name:
ByteCode-MSIL.Trojan.Spider
Create hunting rule
Status:
Malicious
First seen:
2021-06-04 02:37:13 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=66xfagedfg4thbjnfulnacka5m2xivo6okerfmjadlytrxcqf3ha._file
Verdict:
malicious
Similar samples:
06607b04da0cd27e4a7abff3df7ee0be86df8226e81a5706351526a3101d2aa2
RedLineStealer
3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c169c9fb4adb317f1d571f
RedLineStealer
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
RedLineStealer
4a2708b03dc190d7a2bb26c5ebcbd380ddc2d21f5bd8991be7f581d8b8e79737
RedLineStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
RedLineStealer
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
RedLineStealer
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
e31da697e1f30aca20cb88b09a69ed60bdbba9b3c4da0e67e2654ecb541964f2
RedLineStealer
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
RedLineStealer
+ 226 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@batynshnaps infostealer
Link:
https://tria.ge/reports/210607-ngwg3r9skj/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
matjiva.top:80
Unpacked files
SH256 hash:
70c823392ec457d71e4cec6b645c384bab01b372d0c25fe055d7731826cde361
MD5 hash:
210aad0e4ef5218b419fc74e918cf5a6
SHA1 hash:
7601b99fa93996f0de46af484b8a29ff9e416580
Link:
https://www.unpac.me/results/f72821c2-92bb-4297-b0a0-28cee9738dad/
SH256 hash:
f7ae50188329b933852d2d16d00940eb357455de728912b1201af138dc502ece
MD5 hash:
7b79646bd81cb36a7a6e805cad70679f
SHA1 hash:
2d2707eec00b8be89a620d90815cd706b0fb4a9b
Link:
https://www.unpac.me/results/f72821c2-92bb-4297-b0a0-28cee9738dad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7ae50188329b933852d2d16d00940eb357455de728912b1201af138dc502ece

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164836/

Comments