MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65244e30fbf62074c5a09ea2157c865a66aec4dd3fb71f8594f6717dfe7e562c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments 1

SHA256 hash:	65244e30fbf62074c5a09ea2157c865a66aec4dd3fb71f8594f6717dfe7e562c
SHA3-384 hash:	e7c0adc9c20fccbb0b50bba40446ccb13cc7f05c801323d96f83e2afe4adb0634fd695c84387d4b784d6dadba7da45c2
SHA1 hash:	7622ce00152514d75852e2a99e51430f7efa8d7a
MD5 hash:	1f23a8b577037b9da9dab0dcce5ce720
humanhash:	iowa-vermont-seventeen-mountain
File name:	1f23a8b577037b9da9dab0dcce5ce720
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	407'040 bytes
First seen:	2022-03-08 17:41:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	74c91f6c2795156c5c810dd2bcd960ad (1 x Smoke Loader, 1 x DanaBot, 1 x RedLineStealer)
ssdeep	6144:Ln9DQJdJFF7XpHjQjfX9Zfr3SywqI+0yKRu95arO7K7/nNK2l:beJd7dXpDQjf3riyxIDyue7Krp
Threatray	13'382 similar samples on MalwareBazaar
TLSH	T1CE84CF10FA90C035F4B322F855B993ACB92E7EA19B6150CF63D52AE917746E0EC3135B
File icon (PE):
dhash icon	25ac1370319b9b91 (23 x Amadey, 14 x Smoke Loader, 9 x Tofsee)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/248420/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8626/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62279ae1b94fb38cb43fc0b8/reports/3578082e-5bf6-4a60-a067-fc6dd224d7f6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e162a00d-5385-4440-a996-f56af0b99300

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/952834

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/65244e30fbf62074c5a09ea2157c865a66aec4dd3fb71f8594f6717dfe7e562c/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-03-07 14:28:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=muse4mh36yqhjrnat2rbk7egljtk5rg5h63r7bmu6zyx37t6kywa._file

Verdict:

malicious

RedLineStealer

7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d

RedLineStealer

72cc7ecb49837771303a8f567a2b7dd2e7f5ad7790c5b3aa0011fb981106cb31

RedLineStealer

7d45f54744ff5c0cee3b3053ce2173a115251862eeba050b429ea911f7c36296

RedLineStealer

84b3387d512191b0764fde9a03d827cb42ffe33d864b115b959c61a0147aa64d

RedLineStealer

93640539e9c8428a5aaabe06fedaf6b32aaa33c021477413bb4a86f94deee712

RedLineStealer

b54930e793f340f807ab2492ea8dd18263ff267706e9b31ac4ce71e9c5fa7c4c

RedLineStealer

+ 13'372 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:dil infostealer

Link:

https://tria.ge/reports/220308-v93fbscgen/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

138.201.28.150:30718

Unpacked files

SH256 hash:

6577857fbab22de56eeb0ea53d04297ba5131e3e0dc8445b316331be1dd50193

MD5 hash:

03d1498b3804411a1c2c50fe24dbe77a

SHA1 hash:

e9ea9ed58f828f86493c679e18080f75a12fa368

Link:

https://www.unpac.me/results/11831c27-bbcc-469f-bab0-b8243f811205/

SH256 hash:

df1782bbfff709e377880e2295a85bca21a505923d64f22d459c815d024ad04d

MD5 hash:

a75d46ea284dc76b7c7a459a5eaac135

SHA1 hash:

1499a4178eaa73089d60ed44cdba4db5c7668133

Link:

https://www.unpac.me/results/11831c27-bbcc-469f-bab0-b8243f811205/

SH256 hash:

fce8798242b1e30453f9f8b5707aa5ed557b62d30616c1e32a02913ac55e724e

MD5 hash:

b235248d8c011e12dddc0a0c8b1bc33f

SHA1 hash:

0eb08f898a4cc0563670deb3bebd18ff99b314ed

Link:

https://www.unpac.me/results/11831c27-bbcc-469f-bab0-b8243f811205/

SH256 hash:

65244e30fbf62074c5a09ea2157c865a66aec4dd3fb71f8594f6717dfe7e562c

MD5 hash:

1f23a8b577037b9da9dab0dcce5ce720

SHA1 hash:

7622ce00152514d75852e2a99e51430f7efa8d7a

Link:

https://www.unpac.me/results/11831c27-bbcc-469f-bab0-b8243f811205/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/65244e30fbf62074c5a09ea2157c865a66aec4dd3fb71f8594f6717dfe7e562c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.