MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d0649dcd71aee50ce46d7b54eeacde67f06f06db0f958515c2f34d79637d0c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	1d0649dcd71aee50ce46d7b54eeacde67f06f06db0f958515c2f34d79637d0c0
SHA3-384 hash:	e01ccdb013e153f23a9f288e432f17dab56b7076d3bf89d3347fc8d7e06e95dcda20d32bdc97f870f77437401ac09afd
SHA1 hash:	52ee39c05d53627ae675eec3df46cc1b673dbd11
MD5 hash:	d96fa040cb70c8b7d98e99bb43673562
humanhash:	yellow-ink-one-carolina
File name:	d96fa040cb70c8b7d98e99bb43673562.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	439'808 bytes
First seen:	2021-12-07 15:48:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5d39f822cf46cb1cac0e9a27db40014 (5 x RedLineStealer, 2 x Amadey, 2 x SystemBC)
ssdeep	12288:leg/Qjat4SMq+3IHjh6AOcmTJ8BPyX4UfEa:g0Ft4SMqj9H1meu4UMa
Threatray	3'797 similar samples on MalwareBazaar
TLSH	T13C94BF11E6A0D035F1F212F89AB5A369B92E7EB15B3890CF13D457EA5A749D0EC3031B
File icon (PE):
dhash icon	bedacabecee6baa6 (7 x RedLineStealer, 4 x Stop, 3 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d96fa040cb70c8b7d98e99bb43673562.exe

Verdict:

Suspicious activity

Analysis date:

2021-12-07 19:29:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5da0da7d-d731-42ad-9b05-f49a108acdfb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/212212/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/1244/overview

Behaviour

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61af827347ed217c0134b852/reports/302a1921-6d71-4df9-82ba-0e1e41706758/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/14be5c07-e0c1-4282-a209-5bd3bd8771f3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/903221

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d0649dcd71aee50ce46d7b54eeacde67f06f06db0f958515c2f34d79637d0c0/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-07 15:49:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

61945cb0d37bfb32d2f818e6b118d9968213903e73570769eda83a4405c5d783

RedLineStealer

6c90a4a65b4d10539243734b9783c414e8a95501e1272e1ef1de6b0e284d5899

RedLineStealer

a78ca974527199f93fa840fb13ccfc1808fb5d8288fc717e9136f3aff43efeee

RedLineStealer

ea19fbcf50356b81e6e2984caa0bf981b25cc4387fbb29868908ed2d5eb6f5b9

RedLineStealer

+ 3'787 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udpn infostealer

Link:

https://tria.ge/reports/211207-s9chssbadm/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

91.241.19.213:46284

Unpacked files

SH256 hash:

4d974e1d08460bd8fcf65788cea59bc96748ce0cc1c1497dd277619cbe34bf1d

MD5 hash:

cfa560544e482399ce9c943000d7b0d1

SHA1 hash:

f251de97b1da28e9c611d67266ad0d3c17d72b9f

Link:

https://www.unpac.me/results/3f063688-7008-40e2-858e-6a94104e2da3/

SH256 hash:

4fbabb708d043b641d6dce6b770b9f2c7dc39475dc240ba6ebff80f084b82295

MD5 hash:

a5ca74c6f82faead6d24dcde250525d4

SHA1 hash:

ae0754a38ab2494507017074d805f5dda7e1a285

Link:

https://www.unpac.me/results/3f063688-7008-40e2-858e-6a94104e2da3/

SH256 hash:

14468ffb4a7c03c4ae0975e2942cd5aed4bed4ea422f150df39fed87bc22f091

MD5 hash:

0877917441bf162620ffb8599e3c485b

SHA1 hash:

172be7c10124ab861f364f7e669635c338ae8a66

Link:

https://www.unpac.me/results/3f063688-7008-40e2-858e-6a94104e2da3/

SH256 hash:

1d0649dcd71aee50ce46d7b54eeacde67f06f06db0f958515c2f34d79637d0c0

MD5 hash:

d96fa040cb70c8b7d98e99bb43673562

SHA1 hash:

52ee39c05d53627ae675eec3df46cc1b673dbd11

Link:

https://www.unpac.me/results/3f063688-7008-40e2-858e-6a94104e2da3/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1d0649dcd71a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d0649dcd71aee50ce46d7b54eeacde67f06f06db0f958515c2f34d79637d0c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.