MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1abadd3fb21dbf1da2254539c73517d2af43ef9bdc3c67de66466fb961cb3fe6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	1abadd3fb21dbf1da2254539c73517d2af43ef9bdc3c67de66466fb961cb3fe6
SHA3-384 hash:	f19586e6321a300d727d0866ec9efb36cd9c601d9010527487d848b5ebb2238144e2ddcbc97b0a17dd9a36f6c41764d2
SHA1 hash:	8697406d4721bece062b437230a4164024ac5078
MD5 hash:	c0a3be8ab7f809c4e2678b6365e46290
humanhash:	freddie-social-september-maryland
File name:	c0a3be8ab7f809c4e2678b6365e46290.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	6'157'792 bytes
First seen:	2021-10-07 09:06:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f054065b5627efa75960a094c4ceb3ad (5 x RedLineStealer)
ssdeep	98304:DBd1StTicc6qSrcpPwlgrmHfdQ/NZ2a4yF/nhKzTyFTEwskg:td1Swcc6qSIWmrmHfXa4yxnEn9l
Threatray	9 similar samples on MalwareBazaar
TLSH	T11356236353B10088E1E48C3E8637BEE075F60BAB9F41B87955EE65D033166B6F352A13
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c0a3be8ab7f809c4e2678b6365e46290.exe

Verdict:

Malicious activity

Analysis date:

2021-10-07 09:15:27 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/6a15a7ec-099a-48fd-8f48-a0184811c85d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/195765/

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/615eb8bae3d213d202b9a27b/reports/ea0ee354-1f54-479c-8fca-e619759be5b2/overview

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/866233

Signature

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected VMProtect packer

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1abadd3fb21dbf1da2254539c73517d2af43ef9bdc3c67de66466fb961cb3fe6/

Threat name:

Win32.Infostealer.Generic

Status:

Suspicious

First seen:

2021-10-07 02:22:02 UTC

AV detection:

13 of 45 (28.89%)

Threat level:

5/5

Verdict:

suspicious

RedLineStealer

4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e

RedLineStealer

5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b

RedLineStealer

6d0083394a549c135820010343353dcfa2929aeaa83f72a50ec60a7263f4ec90

RedLineStealer

70c64a3f46820c47b44e30d3925165340735c7ce62ad124268820335ecc808be

RedLineStealer

84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04

RedLineStealer

a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4

RedLineStealer

a482e9723d71b2d6c24b51d821ad28e70017c7f99d67173aafccce64a87f22b6

RedLineStealer

cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8

RedLineStealer

Result

Malware family:

n/a

Score:

8/10

Tags:

vmprotect

Link:

https://tria.ge/reports/211007-k3cafscddp/

Behaviour

Suspicious behavior: EnumeratesProcesses

VMProtect packed file

Unpacked files

SH256 hash:

ce9d2ddcbeb5a0b2b197fddc02d2a96b45451e59445463782fca50e8c3551999

MD5 hash:

a51aa396194be5caa1dd35e6582fe5ba

SHA1 hash:

24dabb76ccc11d7ec2a0a372afdf0ab0866c9227

Link:

https://www.unpac.me/results/f995528a-4222-4e2f-b487-dd149fe2b651/

SH256 hash:

ce9aace86b33f9c3ab83055821534ddbbb10ea05b94a005a78274c71878c71a0

MD5 hash:

02e613e3ec40f2a0f197106c7b059d23

SHA1 hash:

6ece3b547c55d1ecb201ea104a069ab6d26cfd7e

Link:

https://www.unpac.me/results/f995528a-4222-4e2f-b487-dd149fe2b651/

SH256 hash:

1abadd3fb21dbf1da2254539c73517d2af43ef9bdc3c67de66466fb961cb3fe6

MD5 hash:

c0a3be8ab7f809c4e2678b6365e46290

SHA1 hash:

8697406d4721bece062b437230a4164024ac5078

Link:

https://www.unpac.me/results/f995528a-4222-4e2f-b487-dd149fe2b651/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1abadd3fb21d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1abadd3fb21dbf1da2254539c73517d2af43ef9bdc3c67de66466fb961cb3fe6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.