MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cb95cc404cfc980c36cb61f53709115b283a35512bf62c09a74d044ca3dbc04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cb95cc404cfc980c36cb61f53709115b283a35512bf62c09a74d044ca3dbc04
SHA3-384 hash: b37d75f246e97c5c46f0092195cdce493662a1cd3a6993826440f7e9072bc8d196f9ef222047c6e83eb61fead5e50d39
SHA1 hash: cb9057e76d3774db64b235622a47db3c0a5d84cc
MD5 hash: cbe9d8314a920831ee1db1b8cbabb40b
humanhash: salami-october-six-double
File name:cbe9d8314a920831ee1db1b8cbabb40b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:393'216 bytes
First seen:2021-07-08 19:34:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6877f946bae2ca0d9e53a3d1d23bfb5c (4 x RedLineStealer)
ssdeep 6144:Htm2EsfN5Y1oYbJrcissWCnW6Oz1gZqZuLx478e+hDMEebNPXZbzv0Ut:HtcmY1oYbJr8X4bOz1gZqZh7ghDveZpx
Threatray 1'038 similar samples on MalwareBazaar
TLSH T1FB848E10FAA0C035E6F326F45ABA93B9A53D7AE15B2050CF52D46AED4B346E0ED31707
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170556/
Detection(s):
Win.Packed.Generic-9876400-0
Create hunting rule

Win.Packed.Generic-9876586-0
Create hunting rule

Win.Packed.Generic-9876630-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/685c86d1-cf00-454a-b901-556263f7fc50
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813734
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cb95cc404cfc980c36cb61f53709115b283a35512bf62c09a74d044ca3dbc04/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 01:16:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ds4vzraez7eybq3mwypvg4ercwzihi2vck7wfqe2otiejsr5xqca._file
Verdict:
malicious
Similar samples:
114858da0fd1b5ea7a2d05d6dbd8d6d752926a4bc912a297d97b5776746a31bc
RedLineStealer
12155a842ef95b7c5e481c325508c0cc43bba8128174c548cd72b67f12a97362
RedLineStealer
16dd8a22b82372491d537d12f0a0574a3756d1a225994d7d6f738fdcf1b10f2d
RedLineStealer
2afd735ca5d2ad8a8478c4832e4827b150e30d5f0b7c1dc174ce934017ee1d76
RedLineStealer
78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16
RedLineStealer
9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9
RedLineStealer
a4ba89389929db2c9baa52e9b858164dad161d53ba61a73712a2c3ba92b49ec5
RedLineStealer
b09e1e3ad712f773066bd497bb61406ff0c3f95746759e68e410a39184ce11a9
RedLineStealer
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
RedLineStealer
fe0921df62f37332cab9e56fbbfe050e204e196e55eb323657c1f0469a6ff27b
RedLineStealer
+ 1'028 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:08.07 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210708-r2wvxkzjcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:61506
Unpacked files
SH256 hash:
6d40af35b63e60f48c9e1f0d3483174310914b4e32f1afda39612962197287f4
MD5 hash:
4bdb246e252ce9b00c4b24482cdb5c59
SHA1 hash:
dbba266949f7c3b7e6c9a5126f1fea0e94ec27df
Link:
https://www.unpac.me/results/64672424-8dce-4c87-863e-f5de61b4c3f8/
SH256 hash:
a36c338f8a14d097885cd3a7e95b4e538767ef3f24171cf2daff8c4e9200f862
MD5 hash:
210263fd284d27daae3413611d2e5d33
SHA1 hash:
b95c39722ea7add84c6aa876fdc62d5b9966b34b
Link:
https://www.unpac.me/results/64672424-8dce-4c87-863e-f5de61b4c3f8/
SH256 hash:
658ca86149713110494f44d0665550c4d76107bbcb9450966cb629255469a033
MD5 hash:
a17b9dcbc20b5680d35f6b08f42b2d20
SHA1 hash:
9413b1766ca2990757a3ee9c1310a6579c8194a6
Link:
https://www.unpac.me/results/64672424-8dce-4c87-863e-f5de61b4c3f8/
SH256 hash:
1cb95cc404cfc980c36cb61f53709115b283a35512bf62c09a74d044ca3dbc04
MD5 hash:
cbe9d8314a920831ee1db1b8cbabb40b
SHA1 hash:
cb9057e76d3774db64b235622a47db3c0a5d84cc
Link:
https://www.unpac.me/results/64672424-8dce-4c87-863e-f5de61b4c3f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cb95cc404cfc980c36cb61f53709115b283a35512bf62c09a74d044ca3dbc04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1cb95cc404cfc980c36cb61f53709115b283a35512bf62c09a74d044ca3dbc04

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170556/

Comments