MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2a300aa264e87d33cba8d4f2062867abaa8e898fc729198c32c1b9a0a12998. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b2a300aa264e87d33cba8d4f2062867abaa8e898fc729198c32c1b9a0a12998
SHA3-384 hash: 1db8ffe3f76f83bc15644245e25b1ca6ffd605b677b0508ce07b3aa506476582eabaa62ee1bf1fa19ca06f5224d9c5b3
SHA1 hash: ad141d317758e9c92050ac7679f82e915aad6298
MD5 hash: 30a7b003c8807cc265dae2f001a9d00b
humanhash: cola-enemy-low-lamp
File name:57048663.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'134'400 bytes
First seen:2022-03-23 04:37:14 UTC
Last seen:2022-03-24 18:07:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 98304:1mvWh0CRXsCI8fVV8BtQxH6mv8W/kAGwCilRvZ:1wCQBeJh8WTGwCcRh
Threatray 5'724 similar samples on MalwareBazaar
TLSH T1281633EEB6C35DACC1CD81749CA228075C0EC5516FADEB036B4EB5D70A688F6EC8C516
Reporter adm1n_usa32
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/255242/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/623aa438dfdfa8501cd10bf0/reports/0847a383-ce10-4abb-89dd-538006b51857/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/962435
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b2a300aa264e87d33cba8d4f2062867abaa8e898fc729198c32c1b9a0a12998/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-23 04:38:26 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmvdacvcmtuh2m6lvdkpebrim6v2vdujr7dssgmmgla3tifbfgma._file
Verdict:
malicious
Similar samples:
0ab1b5c9c84710787e4ebc733374663078ee715696f420945805fb46d6fe9978
RedLineStealer
36ed7e4e8dfce10773b1b1f1b7302e80d38bfd75d7c35bc5da2abf9a8a0b99e3
RedLineStealer
40f980ba0d6670399e23a86fb617649836cfa748958d9c75179663f359c2b479
RedLineStealer
a622231d8484511217750235fb454d1f947058d098aa7211eccd235a965056d0
RedLineStealer
f1a3756e7e9e19e2e27dd4924bf56318a67e1379f9cf1b841a9e977af5ae38fa
RedLineStealer
+ 5'714 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220323-e9fnkabgar/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
32117fe4f52535465fa41d4c242701b13d89a016df946e01d254fc98add11e35
MD5 hash:
490a5893872623625ff124b7477b0320
SHA1 hash:
e665a609eba6add0803f64a6ddd56d8d660b2fc4
Link:
https://www.unpac.me/results/7b8fef74-14c8-41e3-bb67-4f4c09024f47/
SH256 hash:
e623a728f93a92c87b53363ff0489b631b04e24540d19914b65c4b83417f4afb
MD5 hash:
21d154053bd80f14941b9121b57454f4
SHA1 hash:
48c151c4834d163ea1f27099b40d55a054738d45
Link:
https://www.unpac.me/results/7b8fef74-14c8-41e3-bb67-4f4c09024f47/
SH256 hash:
6b2a300aa264e87d33cba8d4f2062867abaa8e898fc729198c32c1b9a0a12998
MD5 hash:
30a7b003c8807cc265dae2f001a9d00b
SHA1 hash:
ad141d317758e9c92050ac7679f82e915aad6298
Link:
https://www.unpac.me/results/7b8fef74-14c8-41e3-bb67-4f4c09024f47/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6b2a300aa264/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b2a300aa264e87d33cba8d4f2062867abaa8e898fc729198c32c1b9a0a12998

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/255242/

Comments