MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e6e597383b3917fdb2f4d9ea0ad8ecf41210fdbb8161cb0b3b542252381b8bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments 1

SHA256 hash:	0e6e597383b3917fdb2f4d9ea0ad8ecf41210fdbb8161cb0b3b542252381b8bf
SHA3-384 hash:	9bd8c4f3298a956751e782eba7d62126f42ee1430c690cbd36837e851d34bc9d409721486a77658abdfd627c14dfd0d9
SHA1 hash:	183347471944d690296026d04abcfb0060ca50b9
MD5 hash:	bf05f4d0c2b7c91be09886feb7ce6956
humanhash:	mountain-johnny-queen-shade
File name:	bf05f4d0c2b7c91be09886feb7ce6956
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	324'096 bytes
First seen:	2021-07-15 13:27:49 UTC
Last seen:	2021-07-15 16:44:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6af0d1838918d8930ef3ce51c1f1c449 (2 x RedLineStealer)
ssdeep	3072:FAg/7Uv52ZnKAQiDafRxzYiiYu5bqiOupElVIVKVs675DhuCQPhzLTQNSvE:F4v52ZnKpi2fSZqhxsTbPhXTdM
Threatray	1'174 similar samples on MalwareBazaar
TLSH	T17964DF1572B0C823D5E2DA7410768BA42B7BBD626A70B14F33632F5E5E322D27169387
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bf05f4d0c2b7c91be09886feb7ce6956

Verdict:

Malicious activity

Analysis date:

2021-07-15 13:29:02 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/3436def0-95c6-43ae-a96a-9e9a32bd2f65

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/171998/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.5033.23504.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cf641c40-4df0-4195-b67a-c5b38832b424

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/816933

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Potential time zone aware malware

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0e6e597383b3917fdb2f4d9ea0ad8ecf41210fdbb8161cb0b3b542252381b8bf/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-07-15 13:28:06 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bzxfs44dwoix7wzpjwpkblmoz5ascd63xalbzmftwvbcki4bxc7q._file

Verdict:

malicious

RedLineStealer

4c8d1a1d118384df23575d4421f573f9b97d984b295083b329a8ee08709dcfce

RedLineStealer

857b888bb465ce55999892cc1deaa9fdacc767b9b69439c266acce7a05e8ce47

RedLineStealer

865fc17286ce58e28350c60fd7bb6ae82187c4af18f04afa9faa31ccaee3e1d2

RedLineStealer

8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f

RedLineStealer

9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725

RedLineStealer

a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b

RedLineStealer

ad4fdfae7fcaa4464c67695dc43ba48ae0aa1209db04c92f5a4d11e2976895e4

RedLineStealer

b7a6bff8d1d5a3b1d323f949fa92bcd757e3c677de7f73da08cb7a1fba159ba3

RedLineStealer

b9f38162b58c91e8c2ad110219cc67d146ac17e81793d9179aca614037b2fb14

RedLineStealer

+ 1'164 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:updt01 infostealer

Link:

https://tria.ge/reports/210715-stkrgljqbe/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

176.111.174.254:56328

Unpacked files

SH256 hash:

85db84b301f430b014faa278bbff2d5f2f1c47764034835655822a96964ce093

MD5 hash:

7e21fc3519313c97a6367b69851b557c

SHA1 hash:

cf238dfefb6817390bc8552a127d2573ce18760a

Link:

https://www.unpac.me/results/42d4e574-dbc9-41b1-92c9-ff6d33905c3f/

SH256 hash:

80ef10ed7e19a4802db48da10a9a79d8b857c33ac552a57346d85354b117aeba

MD5 hash:

b618e3761d5dc9a2cae05ed212e0c2e7

SHA1 hash:

5774f271a4ace5c2d8f7a61468493eecf03e1fb8

Link:

https://www.unpac.me/results/42d4e574-dbc9-41b1-92c9-ff6d33905c3f/

SH256 hash:

1cad4971995dad7632a1e2a29e3caf6bd5a88163b2f2104b4d0951558624904d

MD5 hash:

c58a92f40f71cbf011ca9c8c7cd30d0f

SHA1 hash:

225437c9dbb75718ba802833479abab157cb26ea

Link:

https://www.unpac.me/results/42d4e574-dbc9-41b1-92c9-ff6d33905c3f/

SH256 hash:

0e6e597383b3917fdb2f4d9ea0ad8ecf41210fdbb8161cb0b3b542252381b8bf

MD5 hash:

bf05f4d0c2b7c91be09886feb7ce6956

SHA1 hash:

183347471944d690296026d04abcfb0060ca50b9

Link:

https://www.unpac.me/results/42d4e574-dbc9-41b1-92c9-ff6d33905c3f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0e6e597383b3917fdb2f4d9ea0ad8ecf41210fdbb8161cb0b3b542252381b8bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.