MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cc5cd7cbf758f41dedcf4f9accd9af082d547437644a1e8afb2195698c34dde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	1cc5cd7cbf758f41dedcf4f9accd9af082d547437644a1e8afb2195698c34dde
SHA3-384 hash:	e7807031e9f12487217cb47a6c0456221e7b40ddff97dc207cd247c629e6414fcfc87afb53fe02de436fb23ae9ff047d
SHA1 hash:	0760540aec08b2033a434b976f6d75adf2520db5
MD5 hash:	4e22d9e4f5e24783410b78a02efcd673
humanhash:	juliet-alpha-cola-nevada
File name:	4e22d9e4f5e24783410b78a02efcd673.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	377'344 bytes
First seen:	2021-02-16 20:02:37 UTC
Last seen:	2021-02-16 21:54:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7203c5022b3e838ed3ddbbaf157a6570 (1 x RedLineStealer)
ssdeep	6144:OsPPGTXXP1IxdlGs3e2Y7tI48n605Tq6hGBCrBpU5exJchHwDEaN5U+9AAUQMpih:FPcPmxzGj2EI1n605TNxr7sVTavM
Threatray	193 similar samples on MalwareBazaar
TLSH	7984AE10FB90C079F5F712F40979D3A8A93979A17B2050EB62D71AEAD6346E0EC3135B
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/117432/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.fc.5320.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/609453

Signature

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/1cc5cd7cbf758f41dedcf4f9accd9af082d547437644a1e8afb2195698c34dde/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-02-16 19:40:22 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dtc427f7owhudxw46t42ztm26cbnkr2dozckd2fpwimvnggdjxpa._file

Verdict:

malicious

RedLineStealer

4bb82f05f31bbc7df2350efac1d0e9e46e5b78f11b50fa6b8313066454aec918

RedLineStealer

53694d09899c9de1600743b37ab45e9dc4e3eaf329dc410e87a3b7318d943012

RedLineStealer

808be962b671de3c658a363c3ca14ea5181d3669f0a23f0263a175e9416daab5

RedLineStealer

9024b91ce7d51dcba37b1c4d50e89d0819ef236f2e8adaac8e935dbdc49de99c

RedLineStealer

c434d4da9f9111e836666c93d246f062baa801b1fd098ab670c537353483bad0

RedLineStealer

d5a592a952140b52fde783c6281f82986a3aee2f05de63fe7b6ff2d76db11670

RedLineStealer

d8271e3a38ba916aa701c5b4cb01eb75abface3d401e604248434d7f79ffaad0

RedLineStealer

eb7daf5779270983a6593b9d58fdad20fd18100b1301ce0a03cc5d1b98bd333b

RedLineStealer

f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48

RedLineStealer

+ 183 additional samples on MalwareBazaar

Unpacked files

SH256 hash:

fd38dd84ce83079adf4a71b46d4890d9c0489a18933ef4dc2eb46b8b4e30c52f

MD5 hash:

b291597234e3408fd6c7c7c05f2d4937

SHA1 hash:

ecca66a470d065fb1b0b3ac0832452b51a6dea8a

Link:

https://www.unpac.me/results/5d28311f-a63c-4af2-9cd7-a49f938852a6/

SH256 hash:

e9e155ed60e1fcc0ad995d48c0fc7ac6bd5331923b33577a1d0fc018944bed29

MD5 hash:

dc8234d79d1e3ae7aad429aaa7b3db1c

SHA1 hash:

adfa0cd0eb7e4d82d6119382915c7cdcd48e2b64

Link:

https://www.unpac.me/results/5d28311f-a63c-4af2-9cd7-a49f938852a6/

SH256 hash:

06ef106949b8a165f680ef0b39db82c1ff561ef8a3ce9ad843a074cad2baf07f

MD5 hash:

61a14d00756f34f3253ad0c55b3329b2

SHA1 hash:

82a575b20b9fa32b0380cdf10e355a26101d8e43

Link:

https://www.unpac.me/results/5d28311f-a63c-4af2-9cd7-a49f938852a6/

SH256 hash:

1cc5cd7cbf758f41dedcf4f9accd9af082d547437644a1e8afb2195698c34dde

MD5 hash:

4e22d9e4f5e24783410b78a02efcd673

SHA1 hash:

0760540aec08b2033a434b976f6d75adf2520db5

Link:

https://www.unpac.me/results/5d28311f-a63c-4af2-9cd7-a49f938852a6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1cc5cd7cbf758f41dedcf4f9accd9af082d547437644a1e8afb2195698c34dde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.