MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00fb6f91b51ac26bee53b42937074c9a0f662e9e2b0b9a70a7caba2547c68c65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	00fb6f91b51ac26bee53b42937074c9a0f662e9e2b0b9a70a7caba2547c68c65
SHA3-384 hash:	38678051a7d94e07d9b100325f2ca895dafcd8de3b5bd9dc3507c2ef902bb6a58488f45587fa00c099c0fa01822e0f4a
SHA1 hash:	5d31d97469e84eea34e0753d05fffb6c26463053
MD5 hash:	530766137f52580fec66e494e69addbe
humanhash:	alaska-single-beer-nevada
File name:	530766137f52580fec66e494e69addbe.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	417'280 bytes
First seen:	2021-10-26 21:56:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc12fa1c06b94f51dc8ec5d000654e41 (2 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	12288:K6w2tWx2QcB8xz/AVaUsMH4iVSIWJVHjbZiUeCd8gLlxvN:ZqwB8xzIMkVSI4kUKgLr1
Threatray	1'493 similar samples on MalwareBazaar
TLSH	T13C949D00AAA0C039F5F322F449B99368A53E7EE15B2460CF52D56AEE47356E1FC3135B
File icon (PE):
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
94.140.115.194:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
94.140.115.194:80	https://threatfox.abuse.ch/ioc/161418/

Intelligence

File Origin

# of uploads :

# of downloads :

337

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/200348/

Detection(s):

Win.Dropper.Chapak-9904235-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Launching a service

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/617879afa9d585e6d539ecdd/reports/1541cbd1-1431-4436-bd2c-ea2e329a5e96/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/58e704f9-f107-4cad-9ab6-2673cba864ec

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/877383

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/00fb6f91b51ac26bee53b42937074c9a0f662e9e2b0b9a70a7caba2547c68c65/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-10-26 21:57:04 UTC

AV detection:

32 of 44 (72.73%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ad5w7envdlbgx3stwqutob2mtihwmlu6fmfzu4fhzk5ckr6grrsq._file

Verdict:

malicious

RedLineStealer

1f1051d96cb5c92ca2a1677d2b33bd22d1aeb1ebcf0421643a60ae92a0c364ae

RedLineStealer

261728fc1400289488ed7168916b8752a2633c638724cb1653f671568437545c

RedLineStealer

47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80

RedLineStealer

4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7

RedLineStealer

c7dac0da25d58206459be8af996568547c3df0f76149c741e607249af4c47a67

RedLineStealer

ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c

RedLineStealer

e0035aa03440db1460ee92e59d384ed20dce147a7f62c846c486da9decac4b28

RedLineStealer

ffd34b321cc06d7af0ade5bbef7db266c91382c5ec49937f14475e974f9bf608

RedLineStealer

+ 1'483 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:666 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211026-1tw69sada6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

oucesesstor.xyz:80
edaycamanel.xyz:80

Unpacked files

SH256 hash:

418eb14a3bcf6529893cdb03b549d99f01761da2b89188f38e2575fec6eecb3a

MD5 hash:

54dd19e34e858236361af2f77cc88c7a

SHA1 hash:

d8a8856b73a3ef9696e4b142152c97f91592f390

Link:

https://www.unpac.me/results/81b3e0b6-3019-4bae-94ab-38c0801755f8/

SH256 hash:

7d9d01463f2234205024f3326b2a565f8e94f1f6a899a3a57dff42e001fb0309

MD5 hash:

941a11ada059b9710ae7286088330246

SHA1 hash:

2a476b1ea97ce08aabf8f799db85534773b4b99d

Link:

https://www.unpac.me/results/81b3e0b6-3019-4bae-94ab-38c0801755f8/

SH256 hash:

e7b6e9fab20416e9b2232bac8b55ba04e544558c633954a31a562f25b6bbd6bb

MD5 hash:

db4d6bdca29030f034a7dfb5558402e3

SHA1 hash:

19ae27ca6f8623f24a781ce7aff81dee5a25b97f

Link:

https://www.unpac.me/results/81b3e0b6-3019-4bae-94ab-38c0801755f8/

SH256 hash:

00fb6f91b51ac26bee53b42937074c9a0f662e9e2b0b9a70a7caba2547c68c65

MD5 hash:

530766137f52580fec66e494e69addbe

SHA1 hash:

5d31d97469e84eea34e0753d05fffb6c26463053

Link:

https://www.unpac.me/results/81b3e0b6-3019-4bae-94ab-38c0801755f8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/00fb6f91b51ac26bee53b42937074c9a0f662e9e2b0b9a70a7caba2547c68c65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/200348/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample