MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 627898083243468f15943e3752d0ca2c463d2548316d5ca6bca78972c27cd6ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 627898083243468f15943e3752d0ca2c463d2548316d5ca6bca78972c27cd6ef
SHA3-384 hash: debd09183d21be923b083bc3f2dffb867cbbc1ace8a3c0467238a9529f5a916d578630b010205c8872bd097da5a50144
SHA1 hash: af8873fd51f41619ef3a9866e5d2f45fe616336c
MD5 hash: d76ba31bdfb2bb3b2a14704e7ed1c094
humanhash: delta-vermont-pizza-island
File name:d76ba31bdfb2bb3b2a14704e7ed1c094
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:387'072 bytes
First seen:2022-05-24 05:57:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c16dd46cbc11e53607645ca176b26b3e (7 x RedLineStealer, 1 x AveMariaRAT)
ssdeep 6144:6vmVkPnMK1J8c1MHY5BERizVaM/Dd+aWh8sEnI3I8n2J+zs7:6kEMK1uMOYYRizj/ch4I3I82J+A
Threatray 3'850 similar samples on MalwareBazaar
TLSH T19784BE14BA90C035F1B71DF05975A3A8753A79A16B3055CB63F6EAEE26346E0EC3130B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9824e790e4e7215c (5 x RedLineStealer, 4 x Smoke Loader, 2 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d76ba31bdfb2bb3b2a14704e7ed1c094
Verdict:
Malicious activity
Analysis date:
2022-05-24 06:05:09 UTC
Tags:
redline
Link:
https://app.any.run/tasks/94eab70b-087a-47f2-b1df-9c4e79dcf316

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273952/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19784/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/628c73eb3ec49f83a6c6a5fe/reports/d9a906e6-af80-46e1-a213-d888dbc06c12/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c27eca41-d7ee-4afa-aad4-affb3574f2e9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1000385
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/627898083243468f15943e3752d0ca2c463d2548316d5ca6bca78972c27cd6ef/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 03:37:21 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mj4jqcbsindi6fmuhy3vfugkfrdd2jkigfwvzjv4u6exfqt423xq._file
Verdict:
malicious
Similar samples:
11f864b4614cb3265b353220873deb49b07153a9d7547de3b15c2e95742a7798
RedLineStealer
23b1b84e17f913198de036137db4ee2207f8c1c94a747b130d0cca0644bc330e
RedLineStealer
831890c5dae911036233eccb29c335cc013affe4bcb77104a7c05374d8fffebb
RedLineStealer
8fe90f9a21cf8dc1a12a65981181a379ed9fff48b212a77c4897cbfaee7cac7b
RedLineStealer
b2a09ad10595641bc731dd1ced0cb493d47663894ba57da9a941031d1a73ce8a
RedLineStealer
cff9a1b58d27045ffbe799d15b1735af2c99dbc233040ad8e1f6be71c821578b
RedLineStealer
+ 3'840 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:lyla3 infostealer
Link:
https://tria.ge/reports/220524-gn6c7sbaaq/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
Malware Config
C2 Extraction:
185.215.113.201:21921
Unpacked files
SH256 hash:
d228744910307bc1c2ec2c2c4a63a3d8a61c50027958eb7fb5f0c5d9134eec49
MD5 hash:
f166058ceda371991b6d2637c9fb750d
SHA1 hash:
f8a98ca98ab7ce16db31cbe48c0c75c781c6282a
Link:
https://www.unpac.me/results/bbabd64a-ed9b-4b4d-bb0e-460bfb8c93a1/
SH256 hash:
60ce572f227d15d9c7cd9abf5f8af378b9471d19d80e3384614d768b7c499f96
MD5 hash:
44ada9580c7cf4e11e2e87b143484274
SHA1 hash:
ecb6ff2041e98c765ec33be27146c126f594f1d5
Link:
https://www.unpac.me/results/bbabd64a-ed9b-4b4d-bb0e-460bfb8c93a1/
SH256 hash:
dbfef0db6356ab72cdd884fafa642ab37451adbaab3c88cf745974f684354805
MD5 hash:
9fbe48a12155ca60c5ca35d0ec4469bc
SHA1 hash:
2931c209a6743a6ab1eb865a65aa8262d8b24500
Link:
https://www.unpac.me/results/bbabd64a-ed9b-4b4d-bb0e-460bfb8c93a1/
SH256 hash:
627898083243468f15943e3752d0ca2c463d2548316d5ca6bca78972c27cd6ef
MD5 hash:
d76ba31bdfb2bb3b2a14704e7ed1c094
SHA1 hash:
af8873fd51f41619ef3a9866e5d2f45fe616336c
Link:
https://www.unpac.me/results/bbabd64a-ed9b-4b4d-bb0e-460bfb8c93a1/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/627898083243/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/627898083243468f15943e3752d0ca2c463d2548316d5ca6bca78972c27cd6ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 627898083243468f15943e3752d0ca2c463d2548316d5ca6bca78972c27cd6ef

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2208920/
Cape
Cape
https://www.capesandbox.com/analysis/273952/

Comments


Avatar
zbet commented on 2022-05-24 05:57:57 UTC

url : hxxp://tumanjo.com/9/data64_4.exe