MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab
SHA3-384 hash: 2e28cb779b84819e3e6a9c04d142c31917aa570f90fd7b1375f28025c7089f3ac4bba117311227fa203ae3866800a4a9
SHA1 hash: 1be9b53d33272b3730bf564d1f2b39119cfb7c78
MD5 hash: 440c6427f359554d5152d93dbb272cc2
humanhash: washington-july-comet-charlie
File name:440c6427f359554d5152d93dbb272cc2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:426'592 bytes
First seen:2021-09-26 17:06:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aac01a222c27d95b764bdaf23c96c3d3 (2 x RedLineStealer)
ssdeep 12288:Lh5LlXv51+8UrVgSOB6dtTwPWNH3rEiBW3d:LHLlXvCDIBk1H3oiBg
Threatray 1'681 similar samples on MalwareBazaar
TLSH T192942351291F6524EDF800B0EDAC8BE766879CA1DD9CCAB3E84C61E0950D4F3C61BF56
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.206.14.151:50125

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.206.14.151:50125 https://threatfox.abuse.ch/ioc/226817/

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
440c6427f359554d5152d93dbb272cc2.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-26 17:07:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d20e44e4-ff90-4547-9a0c-3b4037973fbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191822/
Detection(s):
Win.Malware.Doina-9896924-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4d73bb9-175c-48ef-91e5-c0234461cb04
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/858493
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
PE file has nameless sections
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab/
Threat name:
ByteCode-MSIL.Trojan.RelineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 17:07:05 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=moruq4nuqqks3tulalhcgiqh4keajgsv74ki2dxorv2xdbbnicvq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0fb73b5a78afbb7675fcf2e772b1f2c45bb5791973434c2edd18539f611b93c6
RedLineStealer
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
RedLineStealer
52c8b2a76e11b6fab2913cde02aca252462f61a89e0436815e272fc74f0137ec
RedLineStealer
671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96
RedLineStealer
830b27683258b9f669a465aa971db78884f34dbe8d6fd261a4eae6e850b88c43
RedLineStealer
9b219f917b2990b8e0ab9a60f9d7b61c281dbef457b20c2b0a1e5e8b1989d74c
RedLineStealer
a4ffe5148767a4349cc43b105357623c0a47f64433a55d0aaed63f3a2a3e4493
RedLineStealer
b5b8be0cd8c49e313fb626534cc7d705ef7591184753faaddcd87e0f74a2cac1
RedLineStealer
d1653b5cbbf61f3666ac0c5ac308b75d0d0c5029941ca9efbf37f18b51f9a3a6
RedLineStealer
e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
RedLineStealer
+ 1'671 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:teslalogs infostealer
Link:
https://tria.ge/reports/210926-vmze6afagn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.206.14.151:50125
Unpacked files
SH256 hash:
bc584d42feaecf3c5503839c6ef1879256e9feadd512a651b44e7abc01dcb32c
MD5 hash:
56e1cbfc2fa51d41f2575eae24af22c5
SHA1 hash:
4c1248c30e5727dd4eda3a475401d662945c880f
Link:
https://www.unpac.me/results/0369399b-6bd1-422b-9b92-a81f26d07786/
SH256 hash:
8f392ae41a9e849d413d0c4a98ea4bc9f3efedfc10f9fbfca0011cd7395ee583
MD5 hash:
794ad44ee55879777b4f7fc811677e2d
SHA1 hash:
9215336323a7f46b1dacb4fdf9f6acff80fb39b0
Link:
https://www.unpac.me/results/0369399b-6bd1-422b-9b92-a81f26d07786/
SH256 hash:
63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab
MD5 hash:
440c6427f359554d5152d93dbb272cc2
SHA1 hash:
1be9b53d33272b3730bf564d1f2b39119cfb7c78
Link:
https://www.unpac.me/results/0369399b-6bd1-422b-9b92-a81f26d07786/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642816/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191822/

Comments