MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f1153b16dce8a116e175a92d04d463ecc113b79cf1a5991462a320924e0e2df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	0f1153b16dce8a116e175a92d04d463ecc113b79cf1a5991462a320924e0e2df
SHA3-384 hash:	4bf4f07e40e54127de7640f1a146e398a2de4b189a21dd1e9d26e310c61a12887cfff874d47ed2b34e818ebe6cbe4dcc
SHA1 hash:	c4ea3327dbc4a22140e8e5e209e5dad5b9cbe3ff
MD5 hash:	dd33f19f8304c9b080ece59f76be2340
humanhash:	shade-glucose-mango-pennsylvania
File name:	dd33f19f8304c9b080ece59f76be2340.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	429'056 bytes
First seen:	2021-04-01 13:00:58 UTC
Last seen:	2021-04-01 14:22:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	58720068c13c39e43ba1cc0727dc6386 (2 x RedLineStealer)
ssdeep	6144:cJfGTh1uG9awzyJaiOWqHJPPulZeGsuv3fg7tR/1RWirj8vlU6:cJObuG9MJQ35qeGsuvPg7tR/1R18tb
Threatray	398 similar samples on MalwareBazaar
TLSH	A494C01133E0C032D09715B68925C7B04EBBB9751A765ADFBBC40ABD5F246E29B3630B
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

dd33f19f8304c9b080ece59f76be2340.exe

Verdict:

No threats detected

Analysis date:

2021-04-01 13:05:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2c0b6fc0-760e-4bb5-b0c4-b3483921e158

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/130834/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.25660.12332.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/665145

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0f1153b16dce8a116e175a92d04d463ecc113b79cf1a5991462a320924e0e2df/

Threat name:

Win32.Trojan.Bsymem

Status:

Malicious

First seen:

2021-04-01 11:22:20 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b4ivhmlnz2fbc3qxlkjnatkgh3gbco3zz4nftekgfizasjha4lpq._file

Verdict:

malicious

RedLineStealer

24c6a342ebad96c85df3bf4318a0df5a42e27647657157ee5f9ab0b4ba051e10

RedLineStealer

37b026efa4d522e78254378341d61b888b1a454723c7bd50d11ead50d624d8da

RedLineStealer

54329e92940f21e4cf24c14a70f3e4874d91d7d15b74097c9fbd56b89f87738e

RedLineStealer

66a38cc4c3d771280b087ca859dfb95644588421f633e83abab7cd4e4169003f

RedLineStealer

a037c92bc75769e88e0d233c66624d579fda2f356b963caca083d89d8e331d40

RedLineStealer

becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272

RedLineStealer

c252253deb8ce68d6c44f555d2ce707f7581dc7267f5d6a892a626469691ef9f

RedLineStealer

cca7603860e679057bcb934a4bd7cf7b62ba96355cf7c367e2e50cbc6664253f

RedLineStealer

f7e90700d24a89ad3d5daed763f0efad40e3f0ba3b1cffdf2532e068b7f2727b

RedLineStealer

+ 388 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210401-8bbkfjxwpj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9

MD5 hash:

78a535422e2f6ee38d23303739633df4

SHA1 hash:

a79eb74129aaa63ca4175bad850510667e876255

Link:

https://www.unpac.me/results/743655b7-43cb-43eb-818c-cb39a31f17bf/

SH256 hash:

bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630

MD5 hash:

71705e85f8748ca46e31537e62e19037

SHA1 hash:

4f2b3ee4cf0809016c4a9f6958ec752067d838cd

Link:

https://www.unpac.me/results/743655b7-43cb-43eb-818c-cb39a31f17bf/

SH256 hash:

aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848

MD5 hash:

c61ed3bf3203c28408a6b58a338b0b07

SHA1 hash:

1eafb1e9511440ba36ba0f05d3fe0f076805fd75

Link:

https://www.unpac.me/results/743655b7-43cb-43eb-818c-cb39a31f17bf/

SH256 hash:

0f1153b16dce8a116e175a92d04d463ecc113b79cf1a5991462a320924e0e2df

MD5 hash:

dd33f19f8304c9b080ece59f76be2340

SHA1 hash:

c4ea3327dbc4a22140e8e5e209e5dad5b9cbe3ff

Link:

https://www.unpac.me/results/743655b7-43cb-43eb-818c-cb39a31f17bf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0f1153b16dce8a116e175a92d04d463ecc113b79cf1a5991462a320924e0e2df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.