MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584
SHA3-384 hash: a0721a55c206ffeeb13b763f296d93586d173dfac59148f443fc48266e9ea30b19d1668df5ac539aa63e594b9ca51866
SHA1 hash: add50de2b2001b21b1db5aaccac2d4b4742f8a58
MD5 hash: c1c11c2deaa44f89902852b29dd3c263
humanhash: william-spring-magnesium-tennis
File name:c1c11c2deaa44f89902852b29dd3c263.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:303'616 bytes
First seen:2021-01-16 07:26:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (221 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:cmWj+3UVrm2U6fUtzNED4hnQGtFCXeuYSSdJMixE+:cmLSm3zNEshnQGtFGeuJWJTh
Threatray 980 similar samples on MalwareBazaar
TLSH F0541212C558950AF3E527B0D3B2CD7F03E040776FCEA7923B9EA749CE36997A482102
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://93.115.18.245:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c1c11c2deaa44f89902852b29dd3c263.exe
Verdict:
Malicious activity
Analysis date:
2021-01-16 07:32:12 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/b93e4047-b038-4eae-9d31-fd6c5ae69fa5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112284/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/583012
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-01-16 07:27:05 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtgtdupo5huvfarjiqygktgh4oaglab5utj3sft6skz67wlekwca._file
Verdict:
malicious
Similar samples:
00cd67353aee6b0f0f633e33626221e8b9e69f6037b49c8cf95188801b13aee2
RedLineStealer
0a39176f2d4a88456a7e5b903848374b621b29e8e5edf4620d24ed00d68ed01e
RedLineStealer
13e47f17dd6d83e44f9dedb7170f9f3aaedc3497a8ac97025962787f3f922155
RedLineStealer
1e6346b222a1d2a5cb29338f8a7e300724f7d90a87c73259f44de95c1573970c
RedLineStealer
1f97ed53cdcf5edc9f0a16379ed5dfc57d49235d7d1539bb97543ebd5a83e5b9
RedLineStealer
7d2193feb3fb2e72cea88023a60aae9defeae560358eddcba59d97bd8234bec9
RedLineStealer
b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca
RedLineStealer
c69abca6861cab059b6ae9f8745b25359ab757af64c6388efd386d04f87bafda
RedLineStealer
cfbb03f5736821b65dd01bdb4187911a278faa8c07fd29e402a24ea58c414259
RedLineStealer
db2d641b1a96b0b1dbaa96ea47d36d8cfe14aea247eac1283fd3bebbf81fbb3b
RedLineStealer
+ 970 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware upx
Link:
https://tria.ge/reports/210116-4y5dzvyrhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584
MD5 hash:
c1c11c2deaa44f89902852b29dd3c263
SHA1 hash:
add50de2b2001b21b1db5aaccac2d4b4742f8a58
Link:
https://www.unpac.me/results/d3d13c01-3a8c-4630-84a8-ba556adad5c0/
SH256 hash:
b613582d1a8c8d922c08cefc49e657ac3c56c89f287547d38db7139cd0a80245
MD5 hash:
b879c21973a2049047cb78e92c6505b6
SHA1 hash:
5dc9a600778a57ed8ae7751537f4b2220e2bb96d
Link:
https://www.unpac.me/results/d3d13c01-3a8c-4630-84a8-ba556adad5c0/
SH256 hash:
55945c175d77649816d4bdd62793a48f4ae0275780f720e6c527e9bf13ea2610
MD5 hash:
b67b9829c2540d0bcdfb12152b388a3a
SHA1 hash:
288713acd72c61ae2015c891eb7bf999857267af
Link:
https://www.unpac.me/results/d3d13c01-3a8c-4630-84a8-ba556adad5c0/
SH256 hash:
e877e4cc1d7127f1e33bb418f4722026fb56159155bc9c318bead4c875d96f1e
MD5 hash:
ceb517bc9079e3ef468da163ddc13459
SHA1 hash:
84196e0c0cc10ec52d5cc636b7bfed607ceb1af0
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/d3d13c01-3a8c-4630-84a8-ba556adad5c0/
Parent samples :
76b344ae7012a001747a0db9d0a72aa17d4af6b732263ec7674550b778916a88
b2150830c4f7af2133d1ce2c9279ae3021b49b610011ef546662ff18a7a15770
d4a4064f832fb856101831e663b4aaf0e0c6b19550c0f002830849cd9f1151b7
bc9ef9e6bb5655055b0078d9985d1556b3c88ed8d180446e3dae8cfc9614b423
3e0c5df082e1d3349a0578479117c25ede69746306031eb0005bd9526706952d
2e05757cd1dc1c3061132a64042776e87e22104fb625c5dd8f449c9a0a1d94a0
c28b4becc94a0cf4182fd2ae9ef906d92769a0dbc8b0e9bd37605490deaa40b0
39082e2e7b0a973be062cede767afe3861d570962c23d589d03dde43553b8900
0f770a543aa0bb60756427f61749835f17e1e6413672aa6af0b7b2c32bce49b9
0a39176f2d4a88456a7e5b903848374b621b29e8e5edf4620d24ed00d68ed01e
00cd67353aee6b0f0f633e33626221e8b9e69f6037b49c8cf95188801b13aee2
c69abca6861cab059b6ae9f8745b25359ab757af64c6388efd386d04f87bafda
1f97ed53cdcf5edc9f0a16379ed5dfc57d49235d7d1539bb97543ebd5a83e5b9
1e6346b222a1d2a5cb29338f8a7e300724f7d90a87c73259f44de95c1573970c
13e47f17dd6d83e44f9dedb7170f9f3aaedc3497a8ac97025962787f3f922155
038616b5db5a3c68ccfb202a79c7b48ffc9a65eba5d5c4886a0c56fa3ef637ed
2c01c4443eb37f42dea586897788eafbef78bcd1279f17c729584075e32ed5ff
898c957d6bc0417994827db79ca2c264ee100f0ccf54cafdbf18b4e9c9559c0b
db2d641b1a96b0b1dbaa96ea47d36d8cfe14aea247eac1283fd3bebbf81fbb3b
b62455332629537d0000e5b3fd06b557e12a9a4eb0b3019a3a9c3fec52377269
7eae7a527dfb3906b7248135fe8257a45cc9c3042c7b83a443dab71037afeb61
b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca
47126dae0ad329479b538ce8d1c466712ef5eb53fb206ab2f27ba2b51762756d
64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584
969934d1c582fb1c9265a30d3e3b6d666da2263b51b35a83f94fffedcc1efd1f
6380b6aacedc8b0dd90421a7cd2d933d8e5f546497699fd03dd4ce3983d57248
7d2193feb3fb2e72cea88023a60aae9defeae560358eddcba59d97bd8234bec9
cfbb03f5736821b65dd01bdb4187911a278faa8c07fd29e402a24ea58c414259
0bcdbd7631575e1764678e07bc71bd824c92c04a783c533891ebf5492f6ce409
fa123f422564ed8b12034d2fdecbafb53d8df264aa6d0fbfadaddd89c9e5ac5d
157d9bb89cc0d6dd6e2b3d741ecab24f9a87cf0960c13af9627c6a3a7f9752da
bd31dbd3d40287335fb70ce562f94de9f57c453bc590ff72154ed3242b2d7562
521bbb71dd98cad2946f25016fe0eb27ce076423b09819abc5dd09d24939a769
188959d64ed903223e021b3dde8ca0db7e6051d616f706d3c623bae526bee09e
0e8375f9c64761af219e6001c52889f3fbc65ab818d76deda8f04b549cb076ec
5550b1e0d878ef2c7296596d9a7a44d380b48c77121d8cf4f04289ac7ab9a1e6
93ce38eba1ad110f1c5ba6bb7ab636828673fa9525e010a930e52ac424309c06
SH256 hash:
e35e4d65c4f0cdaa0427355ec40daedaeca384cf89b91a20e269a974b77cb113
MD5 hash:
cb1467b0d2e76daff4fefcb93b9593ee
SHA1 hash:
bf32420422abb038396f2bd3622994c32e86c63a
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/d3d13c01-3a8c-4630-84a8-ba556adad5c0/
Parent samples :
76b344ae7012a001747a0db9d0a72aa17d4af6b732263ec7674550b778916a88
b2150830c4f7af2133d1ce2c9279ae3021b49b610011ef546662ff18a7a15770
d4a4064f832fb856101831e663b4aaf0e0c6b19550c0f002830849cd9f1151b7
bc9ef9e6bb5655055b0078d9985d1556b3c88ed8d180446e3dae8cfc9614b423
3e0c5df082e1d3349a0578479117c25ede69746306031eb0005bd9526706952d
2e05757cd1dc1c3061132a64042776e87e22104fb625c5dd8f449c9a0a1d94a0
c28b4becc94a0cf4182fd2ae9ef906d92769a0dbc8b0e9bd37605490deaa40b0
39082e2e7b0a973be062cede767afe3861d570962c23d589d03dde43553b8900
0f770a543aa0bb60756427f61749835f17e1e6413672aa6af0b7b2c32bce49b9
0a39176f2d4a88456a7e5b903848374b621b29e8e5edf4620d24ed00d68ed01e
00cd67353aee6b0f0f633e33626221e8b9e69f6037b49c8cf95188801b13aee2
c69abca6861cab059b6ae9f8745b25359ab757af64c6388efd386d04f87bafda
1f97ed53cdcf5edc9f0a16379ed5dfc57d49235d7d1539bb97543ebd5a83e5b9
1e6346b222a1d2a5cb29338f8a7e300724f7d90a87c73259f44de95c1573970c
13e47f17dd6d83e44f9dedb7170f9f3aaedc3497a8ac97025962787f3f922155
038616b5db5a3c68ccfb202a79c7b48ffc9a65eba5d5c4886a0c56fa3ef637ed
2c01c4443eb37f42dea586897788eafbef78bcd1279f17c729584075e32ed5ff
898c957d6bc0417994827db79ca2c264ee100f0ccf54cafdbf18b4e9c9559c0b
db2d641b1a96b0b1dbaa96ea47d36d8cfe14aea247eac1283fd3bebbf81fbb3b
b62455332629537d0000e5b3fd06b557e12a9a4eb0b3019a3a9c3fec52377269
7eae7a527dfb3906b7248135fe8257a45cc9c3042c7b83a443dab71037afeb61
b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca
47126dae0ad329479b538ce8d1c466712ef5eb53fb206ab2f27ba2b51762756d
64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584
969934d1c582fb1c9265a30d3e3b6d666da2263b51b35a83f94fffedcc1efd1f
6380b6aacedc8b0dd90421a7cd2d933d8e5f546497699fd03dd4ce3983d57248
7d2193feb3fb2e72cea88023a60aae9defeae560358eddcba59d97bd8234bec9
cfbb03f5736821b65dd01bdb4187911a278faa8c07fd29e402a24ea58c414259
0bcdbd7631575e1764678e07bc71bd824c92c04a783c533891ebf5492f6ce409
fa123f422564ed8b12034d2fdecbafb53d8df264aa6d0fbfadaddd89c9e5ac5d
157d9bb89cc0d6dd6e2b3d741ecab24f9a87cf0960c13af9627c6a3a7f9752da
bd31dbd3d40287335fb70ce562f94de9f57c453bc590ff72154ed3242b2d7562
521bbb71dd98cad2946f25016fe0eb27ce076423b09819abc5dd09d24939a769
188959d64ed903223e021b3dde8ca0db7e6051d616f706d3c623bae526bee09e
0e8375f9c64761af219e6001c52889f3fbc65ab818d76deda8f04b549cb076ec
5550b1e0d878ef2c7296596d9a7a44d380b48c77121d8cf4f04289ac7ab9a1e6
93ce38eba1ad110f1c5ba6bb7ab636828673fa9525e010a930e52ac424309c06
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/959579/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112284/

Comments