MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5521e6f534557e3b61b5d9d02b332707f21190d2ee56756308fe36e20e72c4df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5521e6f534557e3b61b5d9d02b332707f21190d2ee56756308fe36e20e72c4df
SHA3-384 hash: 850ad0c50cabd73d55629cb6677ed7d31a0a7a6543dfa3a8c05d5eceb95a013d4291d24fd10b7c0d6ddac483db6a6608
SHA1 hash: 51f63f05e937284fc47194bd29a1490904845e80
MD5 hash: 6e25061bec6c07d72356aa185e24767c
humanhash: fifteen-uncle-avocado-finch
File name:6e25061bec6c07d72356aa185e24767c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:75'776 bytes
First seen:2022-02-17 17:46:15 UTC
Last seen:2022-03-17 16:58:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:GhrE3bZ0DPwwsV0iOLdlEbaqEYdszM0N/r:ugbWDPwKlnEbFEYF0h
Threatray 567 similar samples on MalwareBazaar
TLSH T1F273B52BD7634D48C5303BFCDEE2E6A50E9C5F8D2C32C79B49A6FC5031A6745B8099A1
File icon (PE):PE icon
dhash icon 9c4261796179bdc2 (4 x RedLineStealer, 1 x Cobalt Strike)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
Payload URL:
https://transfer.sh/get/q9wdd6/Mvuizr.log

Intelligence

File Origin
# of uploads :
3
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242320/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38992234.17603.30794.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620e89eda2660f3bb9f2f14a/reports/b7ca3f6b-b20f-4a21-8817-66d3e55bf508/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/84552847-0e5d-476a-a798-e6226b0815c6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/941871
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 574355 Sample: Hr0Hgb5CWj.exe Startdate: 17/02/2022 Architecture: WINDOWS Score: 92 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 3 other signatures 2->57 7 Hr0Hgb5CWj.exe 15 4 2->7         started        process3 dnsIp4 49 transfer.sh 144.76.136.153, 443, 49768, 49769 HETZNER-ASDE Germany 7->49 39 C:\Users\user\AppData\...\Hr0Hgb5CWj.exe.log, ASCII 7->39 dropped 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 8 other processes 7->18 file5 process6 signatures7 59 Uses ping.exe to check the status of other devices and networks 11->59 20 PING.EXE 1 11->20         started        23 conhost.exe 11->23         started        35 2 other processes 14->35 25 PING.EXE 1 16->25         started        27 conhost.exe 16->27         started        29 PING.EXE 1 18->29         started        31 PING.EXE 1 18->31         started        33 PING.EXE 1 18->33         started        37 11 other processes 18->37 process8 dnsIp9 41 yahoo.com 74.6.143.25 YAHOO-3US United States 20->41 43 74.6.231.20 YAHOO-NE1US United States 25->43 45 192.168.2.1 unknown unknown 25->45 47 74.6.231.21 YAHOO-NE1US United States 33->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5521e6f534557e3b61b5d9d02b332707f21190d2ee56756308fe36e20e72c4df/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-17 03:05:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1ae23f0ef7e87606cbedc68a7c5bc45f995462d13cac3907a2a5f344e8cc3f2e
RedLineStealer
1fd73d2549cb9a36d4a27fd7ed6f9ba7aa0ff0e1103b4b96821de901152b118e
RedLineStealer
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
RedLineStealer
38cfb802b835e2f9129680bbcbe93248ad21659931b8230e9c2109b3b496a873
RedLineStealer
41eed12a51e9f070c161a1cedac0e5eaab85d7c82513d5d5d2e798a19bc4fceb
RedLineStealer
53dc7f330bc5df4e3443064b653a94435af34f0f0de5949142efcc86cf6cd5ca
RedLineStealer
a6c03e7b69ffe6152468171e8669db1915efc0f225449dd2278f0c7e40e15ee2
RedLineStealer
cc023c690dd6423feb4187fe06693e15d46698b208568d6ce5a387bfcd893401
RedLineStealer
d25d9f082b1bbb64de38158bf1508f6ad98f41392f1428666b835f78f1406f50
RedLineStealer
e054e82df11497575ab2329cc1c862724cb4fa85d5fb94b75480c83015dc33ac
RedLineStealer
+ 557 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220217-wcw3qacff5/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Unpacked files
SH256 hash:
5521e6f534557e3b61b5d9d02b332707f21190d2ee56756308fe36e20e72c4df
MD5 hash:
6e25061bec6c07d72356aa185e24767c
SHA1 hash:
51f63f05e937284fc47194bd29a1490904845e80
Link:
https://www.unpac.me/results/b81727b3-c565-41b7-a83d-4b198acf93b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/5521e6f534557e3b61b5d9d02b332707f21190d2ee56756308fe36e20e72c4df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/2046545/
Cape
Cape
https://www.capesandbox.com/analysis/242320/

Comments