MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ffb6e3172d402b70786ecd608ad80c218b4c1c95d9c7d68ff5b346273f11235. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ffb6e3172d402b70786ecd608ad80c218b4c1c95d9c7d68ff5b346273f11235
SHA3-384 hash: de8166b576f6b8eed60cfd657745423db7bea6d136d81953dcc715d5153b0f41860e32a8046b794ecef4fb57ea048f09
SHA1 hash: 975439a24f9aaefcfcf0c9c50922f252baafe539
MD5 hash: 1be16217dc45fb721e8b80acd2d245c1
humanhash: uranus-helium-kentucky-grey
File name:1be16217dc45fb721e8b80acd2d245c1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:387'584 bytes
First seen:2022-03-30 11:05:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 962dcf4a4b969d5194f73601a217ba6f (4 x RedLineStealer, 2 x Stop)
ssdeep 6144:v35pxQj7Yh5hMXqNjB2UcS+Ll6Wt9mXjh8SLc5bjVDxmnFc+xg:v35pqS5hMXgjB2v5pmXjSSQ5bjpACU
Threatray 2'351 similar samples on MalwareBazaar
TLSH T11784AE00BA90D035F1B726F44979A7B8B53EBDE09B2451CB62C57AEE66356E0EC30317
File icon (PE):PE icon
dhash icon 8e334d6d7151338e (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.141.165.150:80 https://threatfox.abuse.ch/ioc/466871/

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/259635/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.85874.19294.1216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12091/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6244396aa19c649412abefca/reports/df918964-93ed-4ce3-b0a8-3781b9dddf58/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/140c346f-4dc2-4c7d-82ae-5bc3612ea7fc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/967516
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ffb6e3172d402b70786ecd608ad80c218b4c1c95d9c7d68ff5b346273f11235/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-30 11:06:07 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l75w4mls2qblob4g5tlarlmayimljqojlwoh22h7lm2ge47rci2q._file
Verdict:
malicious
Similar samples:
017118612816b95f23b39dbb5a82ea128aaf3afe315ce0314c020a9848dd6d80
RedLineStealer
7747839e392ad8592ef9acd85fce4dd64e1edafbf09900e7546ea11f5e924dad
RedLineStealer
a63806a04c7dc23ef99da422feb1192d69b6b627aa39ccc989362ae508af899e
RedLineStealer
c8bac790b4750a7c4b0edc5642f17913c4268c4b1759ddbf7ff990ba9c0909b7
RedLineStealer
cf0f1aa6daa5e46b0a8a0ab76ed31b54a96c6125617ad0d0d508d08df6ec6b9b
RedLineStealer
ddc087ef9f65b9db5875f5836b47b82cfe0af2d53cb43563033e27e7c3771f3a
RedLineStealer
de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229
RedLineStealer
+ 2'341 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220330-m7ebqagabq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
llenerelme.xyz:80
Unpacked files
SH256 hash:
599f4a2b10c617d1cd88711b23c9e70afbf5facb4fe0c31b9f6310fbc1b280a4
MD5 hash:
521ecf3ee92d6d67f0e93f5ceaad6be3
SHA1 hash:
fbbec797a7829e723bfc67afadab13e4140cb8f2
Link:
https://www.unpac.me/results/285111d3-10f4-4b42-bdcd-cd302da0e376/
SH256 hash:
4527306932775106bf2fcffcd45ac02b103c9a04892c35cb43c51526132e8c2f
MD5 hash:
9a7ed479cefd47f58a2cb236698f165b
SHA1 hash:
808acb82c7c0e0331dded8dd752c28e8784ff518
Link:
https://www.unpac.me/results/285111d3-10f4-4b42-bdcd-cd302da0e376/
SH256 hash:
9ea70651265afcb77396fb2b25dd9a09af4553027d81f144fe25b30462410dd3
MD5 hash:
fd0738e6ba3f02d643a890e77c62218d
SHA1 hash:
27b41988f8c8e85cb12b34d25fb1ff507ee36c03
Link:
https://www.unpac.me/results/285111d3-10f4-4b42-bdcd-cd302da0e376/
SH256 hash:
5ffb6e3172d402b70786ecd608ad80c218b4c1c95d9c7d68ff5b346273f11235
MD5 hash:
1be16217dc45fb721e8b80acd2d245c1
SHA1 hash:
975439a24f9aaefcfcf0c9c50922f252baafe539
Link:
https://www.unpac.me/results/285111d3-10f4-4b42-bdcd-cd302da0e376/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ffb6e3172d402b70786ecd608ad80c218b4c1c95d9c7d68ff5b346273f11235

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/259635/

Comments