MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a95cb73ac80f5968df35e2dcdabe224fd627041660aba54c4533ba1ca0dcd35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	4a95cb73ac80f5968df35e2dcdabe224fd627041660aba54c4533ba1ca0dcd35
SHA3-384 hash:	c640de3bf49341b91aa1691e7269281d6edf3dd359b9b472a1650142342ebc2a6f58dbcdf32a3f29f1506966ce24a05f
SHA1 hash:	52d1ff5a149b85728edbb4f2481c636d1e6b95a6
MD5 hash:	976fe2de773589d98e442e3cd0c3610f
humanhash:	cola-pasta-connecticut-delta
File name:	976fe2de773589d98e442e3cd0c3610f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	296'960 bytes
First seen:	2021-07-03 07:05:23 UTC
Last seen:	2021-07-03 07:40:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4519e6cb7f4eac42a56a5541d7cadb9 (1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	3072:RErSS9rdRgV9XvobhnuJ4eACb74ejo80jDhscLTH6TFNDLqRsc25L3zGJ8:RuSMdK3vQpUZ1UZ8JWMFNDLqRsco3KJ
TLSH	2F54F1117690C8B6E446847059A0CFB2A5FDBC3265B59C0B7BC41F6F1E713D2AABA307
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

976fe2de773589d98e442e3cd0c3610f.exe

Verdict:

Malicious activity

Analysis date:

2021-07-03 07:08:49 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/d723cb90-8a2a-414c-a0e2-af3fd0aa8745

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/169502/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37178408.8959.14816.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bca76fbc-215d-4aab-b3fd-28bd27e07d75

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/811383

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a95cb73ac80f5968df35e2dcdabe224fd627041660aba54c4533ba1ca0dcd35/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-03 07:06:11 UTC

AV detection:

24 of 46 (52.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jkk4w45mqd2zndptlyw43k7cet6we4cbmyfluvgekm52dsqnzu2q._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pudt discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210703-p2qfb72qe2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

176.111.174.254:56328

Unpacked files

SH256 hash:

d3a86e8c7dfc6da4450f1a19e214637dc87e4bf9e0ad30034803ab80cace095c

MD5 hash:

cb5fc5dd3ba9fdd7af4b8eecf33f77d5

SHA1 hash:

d2bf6ecc946301c58381a88bf12d74204314b7e8

Link:

https://www.unpac.me/results/e48367af-ed68-486a-8741-b68031bafddb/

SH256 hash:

a3774922e16ff1224a3e509b6fffc7c1dabe5a9a680539608b78839e481d7f1e

MD5 hash:

651e96a0d52076aa5ed2d82739b5c9b1

SHA1 hash:

b1ccd75ad0feed1d11deecb72ef0abac5e3ecf09

Link:

https://www.unpac.me/results/e48367af-ed68-486a-8741-b68031bafddb/

SH256 hash:

e13e35685114980f612af2304d7916557b03dc43609ada58de42bfa1bd5929d1

MD5 hash:

d73b577cdc3854b7ba4b09f17a84e1db

SHA1 hash:

0b60823181914658cc07e8629fc9b5ddfcdf1fee

Link:

https://www.unpac.me/results/e48367af-ed68-486a-8741-b68031bafddb/

SH256 hash:

4a95cb73ac80f5968df35e2dcdabe224fd627041660aba54c4533ba1ca0dcd35

MD5 hash:

976fe2de773589d98e442e3cd0c3610f

SHA1 hash:

52d1ff5a149b85728edbb4f2481c636d1e6b95a6

Link:

https://www.unpac.me/results/e48367af-ed68-486a-8741-b68031bafddb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4a95cb73ac80f5968df35e2dcdabe224fd627041660aba54c4533ba1ca0dcd35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.