MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faef6881477bcddcdc4ef70525e388445bb385c558ee5ed08447488527be0de8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	faef6881477bcddcdc4ef70525e388445bb385c558ee5ed08447488527be0de8
SHA3-384 hash:	fe1d339c8758b7a8d6d7a5f46292c8bb61a14fe7eed7d007c95669b9b0e0c1fa58508fb29003de4db9d5e9352aba91aa
SHA1 hash:	47aa791d7082940eba2754f2302ad7bc5b85573a
MD5 hash:	7bd0607e809bbed2f1294a4bf3e91fe4
humanhash:	speaker-jig-mockingbird-king
File name:	7bd0607e809bbed2f1294a4bf3e91fe4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	413'696 bytes
First seen:	2021-11-24 17:16:35 UTC
Last seen:	2021-11-24 18:51:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	227bb68f00c01d84de5b7cf57cce44af (4 x RedLineStealer, 2 x RaccoonStealer, 1 x Gozi)
ssdeep	12288:jflFPptF6LnvPO27dawfY0Zn3ENvRfh+aNL2z:jflFPjFEvm2tfJ24awz
Threatray	9'399 similar samples on MalwareBazaar
TLSH	T1C594BF10ABA0D034F5B716F899B5D3B5AA3F7EE16B2891CB53C12AEA56346D0DC30707
File icon (PE):
dhash icon	e8e8e8e8aa62a489 (8 x RaccoonStealer, 6 x RedLineStealer, 2 x Tofsee)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7bd0607e809bbed2f1294a4bf3e91fe4.exe

Verdict:

Malicious activity

Analysis date:

2021-11-24 21:40:39 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/3813c5c7-af52-41cb-89a0-6dae72d4ead7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.6762.6488.26780.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/619e739102c80febc2a84f70/reports/92a06382-e305-470f-a661-3eb2cb5359b5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5ee49938-446e-4ec9-9ece-36d1451775a2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/895595

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

gozi

Link:

https://mwdb.cert.pl/sample/faef6881477bcddcdc4ef70525e388445bb385c558ee5ed08447488527be0de8/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-11-24 09:03:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 44 (65.91%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7lxwrakhppg5zxco64csly4iirn3hbofldxf5ueei5eikj56bxua._file

Verdict:

malicious

Label(s):

gozi

RedLineStealer

0f54e3a74da4ee2efba60740d755ae9764d9ba2327cd1f2b5c9ba55a8051745d

RedLineStealer

2d4ec0cb2534abb738c64bc285b1b5529fdde4f7a4055bb9b4e11f01ee065124

RedLineStealer

664846a3a1c48f0feb30ea31bbbaf3f0633c11347beabb7ab0be72e2c4d85cab

RedLineStealer

8016197048d53acca6887b24cb17fc392a88ec3774f95d15693dfbf1004f497f

RedLineStealer

880f78955671ad7c472a4ef3a5f051ce977a991060d67df5007cc13043cedaf6

RedLineStealer

944faf4998e18e48478849569763af6ee185646c90af7715752902ad9d8ff679

RedLineStealer

cc87729bab09fd3d13ceb36c1ea3ed112e7c1713a640ac4533c6f60f1a9640ba

RedLineStealer

dd87a1ede90c4badb48b58fef8385df2df01a35d61857322541796094e933dd2

RedLineStealer

+ 9'389 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:gozi_ifsb family:redline botnet:4483 botnet:udptest banker discovery infostealer spyware stealer trojan

Link:

https://tria.ge/reports/211124-vtpjjadccr/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Gozi, Gozi IFSB

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.56.146.64:65441
yahoo.com
doreuneruy.store
qorunegolu.club
https://doreuneruy.store
https://qorunegolu.club

Unpacked files

SH256 hash:

e1ae7e2b33b3dc036f12fac7f372134090935de29d453fdc0c838db5288340ab

MD5 hash:

c1108718dcfb2b7a752e2c4c1e27659d

SHA1 hash:

59c7c4ca474af49a7fc77e58da554f02f9d68191

Link:

https://www.unpac.me/results/b9df1460-e3fc-4bf2-a06c-abbbd0e6748e/

SH256 hash:

b602a2710845fe08f9c0b53c053ddc834e25b3e4cd36e6162ffed3a028346044

MD5 hash:

b4bfd945fe4a51c1a6f4aafa964aea7d

SHA1 hash:

5207263194c4902eb2dee4c2659a1af725057699

Link:

https://www.unpac.me/results/b9df1460-e3fc-4bf2-a06c-abbbd0e6748e/

SH256 hash:

a3016b6e5863c9b51ef7616c7bb720c2a2dc4b4ff545af47aabc8ad82b5dc45c

MD5 hash:

988bab2529a6b385e407ba8ef050dc51

SHA1 hash:

3851cb15de623f44d62581e970ab183d8ed4769c

Link:

https://www.unpac.me/results/b9df1460-e3fc-4bf2-a06c-abbbd0e6748e/

SH256 hash:

faef6881477bcddcdc4ef70525e388445bb385c558ee5ed08447488527be0de8

MD5 hash:

7bd0607e809bbed2f1294a4bf3e91fe4

SHA1 hash:

47aa791d7082940eba2754f2302ad7bc5b85573a

Link:

https://www.unpac.me/results/b9df1460-e3fc-4bf2-a06c-abbbd0e6748e/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/faef6881477b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/faef6881477bcddcdc4ef70525e388445bb385c558ee5ed08447488527be0de8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.