MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1467dbcc4b504ab94baaa6bf9dbb59dbddc3ea61a86452b61760cf6f50417364. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 1 File information Comments

SHA256 hash:	1467dbcc4b504ab94baaa6bf9dbb59dbddc3ea61a86452b61760cf6f50417364
SHA3-384 hash:	61c55fc9ca698bc02d8625c0fd31e41b858464e8376d7c49393f7bde6fb7384c06449afcc9ea8eba953ec7efc2818420
SHA1 hash:	a8c8de313cf2e6606cbc565c5fe135035a46b6d7
MD5 hash:	18499eaa223053517b1af7febe69c0b4
humanhash:	mirror-helium-rugby-speaker
File name:	18499eaa223053517b1af7febe69c0b4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	408'064 bytes
First seen:	2021-06-20 15:50:48 UTC
Last seen:	2021-06-20 16:34:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	325daf1bcd038e60cb3f2ac479057267 (12 x RedLineStealer, 1 x CryptBot, 1 x Stop)
ssdeep	12288:utd/ecqEJkSTg92nlwQ6pLZ0GBTo7c5Ezl:oGcqEJFplL6v0mT
Threatray	891 similar samples on MalwareBazaar
TLSH	C894BF10FA90C035E5F662F85ABAD3BDA52C39B1672490CB52D51AEE1B347E0EC31727
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
176.111.174.254:56328

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
176.111.174.254:56328	https://threatfox.abuse.ch/ioc/137666/

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

18499eaa223053517b1af7febe69c0b4.exe

Verdict:

No threats detected

Analysis date:

2021-06-20 15:51:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f35d2ae3-7b32-462c-aceb-0f3ab4ef34a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/167201/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.30611.15942.6316.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a16bbe1e-d02d-4ce2-b2b7-395583e4c045

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/804946

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1467dbcc4b504ab94baaa6bf9dbb59dbddc3ea61a86452b61760cf6f50417364/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-06-20 15:51:09 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=crt5xtclkbflss5ku27z3o2z3po4h2tbvbsffnqxmdhw6ucbonsa._file

Verdict:

malicious

RedLineStealer

2f6576f6687bd9fa5d8a86389b03b564d3d82f6c3c63ccd64df6f460dc4dec65

RedLineStealer

34b19ae69f81f4e9a112373b8554dc1158433c3faaa6629840f4e0575226b46e

RedLineStealer

34c3d185dc61472fccfc4b49d646ccca9d057596dc8947e62773ca63205ef67b

RedLineStealer

3e503d31e990d9452c5f5ee146e7f83f46df6b034563f8a6d10959de7b43ae78

RedLineStealer

4cf4fe7855632a62537bf2acaa36cc8341cc9166370f12afab068b32d17a1c33

RedLineStealer

4f3a351455832dca36b70f79c591d224fd52865d5b7b47cab749e8791044d625

RedLineStealer

5640e973edefbcd5f30f0be1c1f4af39b138a70437c578bebb09bb790f3564ba

RedLineStealer

61d60c1fdab9751355ce7906702e272d2ad284d518178a136e1647d1349bcc95

RedLineStealer

b6ddaf7b356ff21ae461672f44f87944e5b5879b7442d50b545909a6fdc0e180

RedLineStealer

+ 881 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210620-qes5n91yle/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Unpacked files

SH256 hash:

aa6cc42ad1c627460a4c54cfa46fa1934518c510d2bdb323ee119c460136ed3f

MD5 hash:

f2eb93b3bbe3cad8a4b76e74ffd3ccff

SHA1 hash:

e018afa2e24e5eb03598d37d9142674ad1d7ac2f

Link:

https://www.unpac.me/results/8acb536e-8a16-4c56-a19d-bf56e5d096fe/

SH256 hash:

7296d60423fbfc4877e7bbb0c1352d0756908f9fbc53679bce463320e3a382f0

MD5 hash:

7ca1af0d05d832e6039ddb2629c6007f

SHA1 hash:

b3cf5b027fa6ee5a6cebb33bde0b36eb17e9956c

Link:

https://www.unpac.me/results/8acb536e-8a16-4c56-a19d-bf56e5d096fe/

SH256 hash:

8c7cdb6916702d2387737927da9a3c49a6f4c1033545c1ed9bb37fc2829e4803

MD5 hash:

dca556c5c11a934a767c12ac44f179e5

SHA1 hash:

900f5ad3481cdb4f82dccf97d0b7ab272e599dce

Link:

https://www.unpac.me/results/8acb536e-8a16-4c56-a19d-bf56e5d096fe/

SH256 hash:

1467dbcc4b504ab94baaa6bf9dbb59dbddc3ea61a86452b61760cf6f50417364

MD5 hash:

18499eaa223053517b1af7febe69c0b4

SHA1 hash:

a8c8de313cf2e6606cbc565c5fe135035a46b6d7

Link:

https://www.unpac.me/results/8acb536e-8a16-4c56-a19d-bf56e5d096fe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1467dbcc4b504ab94baaa6bf9dbb59dbddc3ea61a86452b61760cf6f50417364

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.