MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f608899eb5b861c21365d8409a1f506d7028919d31e36c1002e87573450f12b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	1f608899eb5b861c21365d8409a1f506d7028919d31e36c1002e87573450f12b
SHA3-384 hash:	afcaba2d1ebf1a87f9b10f81b4d0af304eaaadcb711c1feb3b24a6de3255ebc92791dc53b185a94763a3a02692ee5e55
SHA1 hash:	49c9c74c21d64afc76c90d9139e513efb92a4925
MD5 hash:	8d9e3fcf022a280e010848fdf87e154c
humanhash:	fillet-muppet-magazine-equal
File name:	8D9E3FCF022A280E010848FDF87E154C.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	310'784 bytes
First seen:	2021-07-12 15:41:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3a1cb83a0edcbf9718ebd5694ed3592a (1 x RedLineStealer)
ssdeep	6144:S5NpSZJd+Ig9bmbFS8L93BlYBoMdV4LTX4EAxqd0Y:ep2js9bqFSy3YBoMgfoEAxqd0
Threatray	1'175 similar samples on MalwareBazaar
TLSH	T1B964D0517590F472C0E74130947AC3F1A63ABCB16A369987B68B3B6F6E3339125F6312
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.117.75.47:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.117.75.47:80	https://threatfox.abuse.ch/ioc/159851/

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8D9E3FCF022A280E010848FDF87E154C.exe

Verdict:

Malicious activity

Analysis date:

2021-07-12 15:43:09 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a1b258a8-cb57-4fc9-ad2a-98519d45c6d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/171162/

Detection(s):

Win.Dropper.Zusy-9876039-0

Win.Packed.Generickdz-9876237-0

Win.Packed.SmokeLoader-9876310-1

Win.Packed.Zusy-9877982-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bc2783dc-f4bd-465a-b7a1-c43f61a6392d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/815013

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1f608899eb5b861c21365d8409a1f506d7028919d31e36c1002e87573450f12b/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-09 16:47:51 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=d5qirgpllodbyijwlwcatipva3lqfciz2mpdnqiaf2dvoncq6evq._file

Verdict:

malicious

RedLineStealer

4c8d1a1d118384df23575d4421f573f9b97d984b295083b329a8ee08709dcfce

RedLineStealer

76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93

RedLineStealer

9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725

RedLineStealer

ae2681f48a49d4f3f6effa370f6c83f2bdaa4f6976de4514a501139bc8579a2e

RedLineStealer

bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034

RedLineStealer

cc161c44340b9944936e1af83913c62bfe6cdc92703e19fc036e556bd89caf79

RedLineStealer

fdccd5539f179d7b405ebbc63749ce662af29a3bbe0b66816cce09029e785aaf

RedLineStealer

+ 1'165 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:new1 infostealer

Link:

https://tria.ge/reports/210712-asr59g7nse/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

dileyteney.xyz:80

Unpacked files

SH256 hash:

3a7d445582018e344d781869a1768bbd45125d09028aa1b8a62a4e27e94e5a72

MD5 hash:

bbd4f3872f29716cb83a181542251e95

SHA1 hash:

f0ff6ddf21980bf1e7b9afd2b180d4d211392e76

Link:

https://www.unpac.me/results/5525cfec-54c1-4a4d-94be-2841d823c215/

SH256 hash:

44531137af7ab729c7cde5cf05c7cc643871b137033c427e991052b36ae7e82a

MD5 hash:

a753cb66d0cc411f7b7093c828ccf57a

SHA1 hash:

910b1adf0a961538954356965355c3818dcdb8bc

Link:

https://www.unpac.me/results/5525cfec-54c1-4a4d-94be-2841d823c215/

SH256 hash:

d1061a3ae46b7c4bd21187a54d906131dc0356044fc20ca04da791cc954f503c

MD5 hash:

0fe0522a5c051de4b107cbde069558c0

SHA1 hash:

768a309953e1031659bf7db985296642267afa88

Link:

https://www.unpac.me/results/5525cfec-54c1-4a4d-94be-2841d823c215/

SH256 hash:

1f608899eb5b861c21365d8409a1f506d7028919d31e36c1002e87573450f12b

MD5 hash:

8d9e3fcf022a280e010848fdf87e154c

SHA1 hash:

49c9c74c21d64afc76c90d9139e513efb92a4925

Link:

https://www.unpac.me/results/5525cfec-54c1-4a4d-94be-2841d823c215/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1f608899eb5b861c21365d8409a1f506d7028919d31e36c1002e87573450f12b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171162/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample