MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01fa6ab44dda66d487443953bccaff76a1399033de53158e06f2efaecda0bfec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments 1

SHA256 hash:	01fa6ab44dda66d487443953bccaff76a1399033de53158e06f2efaecda0bfec
SHA3-384 hash:	f2af4b6ebf1e221e8003be5e06ce11548087fe2f62c8ee18c5d7b5cc41ad98474f265fce02ec72d241c239ed51965d22
SHA1 hash:	3e17bb5aafd5f363bebc43b7b201fd333c7819ad
MD5 hash:	6eb2feee2eca144b665d472f56a0420d
humanhash:	ack-green-crazy-minnesota
File name:	6eb2feee2eca144b665d472f56a0420d
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'954'916 bytes
First seen:	2021-10-05 02:01:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:L/B4rO6JHrGZYQ8hcEe//l5UxUVbH6cYLFQCS:L/aXHrGN8hcEe//lxpH6cYLOCS
Threatray	4'373 similar samples on MalwareBazaar
TLSH	T123064BF27A0F92EFC34A58F4F481D903D51813F28658A559DC297838D783D6A21CBBDA
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194805/

Detection(s):

SecuriteInfo.com.Dropper.Generic.VZR.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Connection attempt

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/615c060ee3d213d202b76dcf/reports/6739205f-da28-4622-980b-c939c36c398b/overview

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/32299a10-38b5-4b57-a164-09dfe52adac2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/864377

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/01fa6ab44dda66d487443953bccaff76a1399033de53158e06f2efaecda0bfec/

Threat name:

Win32.Packed.Themida

Status:

Malicious

First seen:

2021-10-05 01:14:06 UTC

AV detection:

16 of 27 (59.26%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ah5gvncn3jtnjb2ehfj3zsx7o2qttebt3zjrldqg6lx25tnax7wa._file

Verdict:

unknown

RedLineStealer

486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669

RedLineStealer

4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156

RedLineStealer

6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935

RedLineStealer

89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde

RedLineStealer

c7d53aab1530a4b65da95d7dff43015b845d56095a7a4f6838ccfc1cf45569dc

RedLineStealer

c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54

RedLineStealer

d158afc32c31573efe9e0d25404b94a2ebf29e8abe352d67e9e7b2378028bd6b

RedLineStealer

e7cc1a50c3ab054c7c102301d32b802813f0651154f585ac315d0778a81501c8

RedLineStealer

+ 4'363 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/211005-cf5pgshdeq/

Behaviour

Checks whether UAC is enabled

Checks BIOS information in registry

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

01fa6ab44dda66d487443953bccaff76a1399033de53158e06f2efaecda0bfec

MD5 hash:

6eb2feee2eca144b665d472f56a0420d

SHA1 hash:

3e17bb5aafd5f363bebc43b7b201fd333c7819ad

Link:

https://www.unpac.me/results/d3c7eddf-da5a-4cd8-81f5-7a840756e34e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/01fa6ab44dda66d487443953bccaff76a1399033de53158e06f2efaecda0bfec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)