MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c
SHA3-384 hash: 95572401f07aa23b76de701950f30136eb1c086f45d68583526b385ec5959a380ee7d4804f7eca3468461d91493d3bd0
SHA1 hash: 9ee32ce1d7dab57f66aec3f5443738aa49eb9c64
MD5 hash: afed25699b68eb6b0d7fa7fa382c55b7
humanhash: iowa-network-freddie-spaghetti
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:975'360 bytes
First seen:2024-08-28 16:58:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 24576:8k70TrcWU/AG8VM6Lnjpzv71x13LzCwd2nAYJ5RErUkSVtUt7+DH:8kQTAWU18+wjp1xVL2/nIwkSVy5y
TLSH T10025121130C1D233C4B691B445D7CA7A9F743126477A52E777AD2BBA6E203E2A3742CE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: http://147.45.44.104/yuop/66cf56ae6e345_ColeusesWalkathon.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2024-08-28 17:02:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f8170f0-596e-4a68-8574-96945c98577a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cf5771f1a57bfb7091407d
Tags:
Generic Infostealer Injection Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Adding a root certificate
Changing a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed redline
Link:
https://www.filescan.io/uploads/66cf575897cdd8ae02a731e5/reports/faf103e5-85b8-4bb0-8c31-1a7c0db51de6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2eb50bc-ef1f-4aef-8544-9c43bc093411
Result
Threat name:
PureLog Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1500642
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-08-28 16:59:05 UTC
File Type:
PE (Exe)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7v7tkpzns4vh4o63hfvgmkl4decapuixa5fy6skfyamqybxgtq6a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240828-vhdynawhnh/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
.NET Reactor proctector
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3b4df620-6c86-4d4c-9bcb-b5031cd06192
Unpacked files
SH256 hash:
74df5abcc618018e2876eee47e68424ccced03489c872cd793a98dd626d0e5ad
MD5 hash:
dc2fa05ed28c786c763500ef049cbd35
SHA1 hash:
22e083ede9a781a26d27810a09dde5717f3cc198
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/4d8e02ea-dab0-4c38-829d-787d204df02c/
SH256 hash:
31d0bfbc3f092eb710b323d474ec9aa61fe51f02360beef0ac0e128bacaf6259
MD5 hash:
591cf9443f22a8c7e3935d1d212fe2e6
SHA1 hash:
e28f89b1a59140a3418a212e569008c752f27631
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4d8e02ea-dab0-4c38-829d-787d204df02c/
SH256 hash:
89545ffc0694601f76ac2518cb1160f8ec9be3d886b454cce62354d4262bd5d5
MD5 hash:
38977a1442c9d9450752998c9d0342a1
SHA1 hash:
27c5224b838b05f6fd49af404c4b527ef76eabf3
Link:
https://www.unpac.me/results/4d8e02ea-dab0-4c38-829d-787d204df02c/
SH256 hash:
f9c74e366b9305abc645eaf5bbd729a1d4b94339fbf99d712a7650bd24aa141c
MD5 hash:
8f64fa53e5764858e9a5669ab9ae7cf1
SHA1 hash:
a3763382da4ddcebdfd145a7c50eac3582d12869
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4d8e02ea-dab0-4c38-829d-787d204df02c/
SH256 hash:
f8eb5e1483bebdc42eaf459facf5f5ee54dd4b55b64aa39e75fdd1d3bed2a60d
MD5 hash:
a554cb7ab200cdd4107b27ed330d7ec4
SHA1 hash:
082ce95781b70d796f23ac95acc5bd0c39de60bf
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/4d8e02ea-dab0-4c38-829d-787d204df02c/
SH256 hash:
fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c
MD5 hash:
afed25699b68eb6b0d7fa7fa382c55b7
SHA1 hash:
9ee32ce1d7dab57f66aec3f5443738aa49eb9c64
Detections:
MAL_Malware_Imphash_Mar23_1
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4d8e02ea-dab0-4c38-829d-787d204df02c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd7f353f2d97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3133032/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments