MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26ea7b69bb2c20ea92fd8c5dbfe3316fba6923d7d268c189643eacfcffba0639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26ea7b69bb2c20ea92fd8c5dbfe3316fba6923d7d268c189643eacfcffba0639
SHA3-384 hash: da5104babc4794cef535dc82f69d55dded267638dc89c1ff6774b9b3dbf0c469e83152277f0488d60abd796aa1179668
SHA1 hash: 9f841e90da5228bb1ed2a23040fc7683f2d99311
MD5 hash: a5d4c8dc618988b493d564ce78b5e657
humanhash: march-romeo-stream-kentucky
File name:a5d4c8dc618988b493d564ce78b5e657.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:410'112 bytes
First seen:2021-11-23 09:01:41 UTC
Last seen:2021-11-23 11:07:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b90a6995421b6eb79d6bcd36b44f24cf (11 x RedLineStealer, 4 x ArkeiStealer, 1 x Tofsee)
ssdeep 6144:GMVHyUm/VAwRXpasi/C+MTKbKKnbIT6UCUZKzaAN7ig:VVGTZ/iq+TbVbIT6UC7aAr
Threatray 3'922 similar samples on MalwareBazaar
TLSH T1DC94C005ABA0C039F2B716F8897997B9763F7EA16B2490CB52D417EE56356E0DC3030B
File icon (PE):PE icon
dhash icon e0f8c8e8aa66a499 (5 x RaccoonStealer, 2 x RedLineStealer, 1 x FickerStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a5d4c8dc618988b493d564ce78b5e657.exe
Verdict:
Malicious activity
Analysis date:
2021-11-23 09:53:17 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/d6b333f9-b70f-4ddc-b59e-c4a7dd51ce58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Jaik.49513.19693.5992.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/619cae10f36138de3f36b9b0/reports/bbe0af5a-9250-4b63-bc43-eab4445101d5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dd3a0c9c-755c-4adc-ac19-84139006a344
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894548
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26ea7b69bb2c20ea92fd8c5dbfe3316fba6923d7d268c189643eacfcffba0639/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 09:02:10 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03e6cbf0499c16281e1fad318fed79c70ee3ebd0abc2d2577b8d5690759e5f2d
RedLineStealer
3ebbbaaf09f705f0d7f12a21466fc60f4a08ba7ed9c7fb209666e0d45e342405
RedLineStealer
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
RedLineStealer
510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901
RedLineStealer
cca02eaba0809751d81481ee4db3631ff546054d7ebb11d5099f58ca91dbadd2
RedLineStealer
e6b755d826848caf92c031cd0ad6a72af5161d3ae039f260d561e4297ed1ef05
RedLineStealer
+ 3'912 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:noname discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211123-kzge1acgd5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:26828
Unpacked files
SH256 hash:
073096e34441f4bd63001e27915dc32f27e3c917c960457dae925b76edb34683
MD5 hash:
a608101a686b274b51d79b0d5cd5611f
SHA1 hash:
bd2c0e920b44ea04abdcebc8bba365c6607a95f9
Link:
https://www.unpac.me/results/c09312d6-3d5f-4bc4-9f48-b182b0e66337/
SH256 hash:
efa8fec7208720e734903a42d2cb362fe3d6ba9769c26e52734a3ff87060239d
MD5 hash:
14386e7c1116fcb10790ed6a7991a945
SHA1 hash:
51c7afa94ca210e2aefd707246e17f08f2b33904
Link:
https://www.unpac.me/results/c09312d6-3d5f-4bc4-9f48-b182b0e66337/
SH256 hash:
bcaa0a2f1dbe3edb77349cfd30474c5ad541b80099c3b025a600fcc53346f810
MD5 hash:
d176199daf05e7b75d24e36d1aaeaa65
SHA1 hash:
0c98d33fe420bbf0decbe19a2fdb2e265ca65c85
Link:
https://www.unpac.me/results/c09312d6-3d5f-4bc4-9f48-b182b0e66337/
SH256 hash:
26ea7b69bb2c20ea92fd8c5dbfe3316fba6923d7d268c189643eacfcffba0639
MD5 hash:
a5d4c8dc618988b493d564ce78b5e657
SHA1 hash:
9f841e90da5228bb1ed2a23040fc7683f2d99311
Link:
https://www.unpac.me/results/c09312d6-3d5f-4bc4-9f48-b182b0e66337/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26ea7b69bb2c20ea92fd8c5dbfe3316fba6923d7d268c189643eacfcffba0639

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 26ea7b69bb2c20ea92fd8c5dbfe3316fba6923d7d268c189643eacfcffba0639

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1742317/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208607/

Comments