MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b56620688a7f68373fb56c30dcc017b6d8a45c2296846989a40c82c37e13cb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	6b56620688a7f68373fb56c30dcc017b6d8a45c2296846989a40c82c37e13cb9
SHA3-384 hash:	6f9e6d01b0db2b2207dc1ccddd5d76ffbdb2143311beb2d54ba3aec6b78b244e178807259a8052bd6fd76b7f521debb1
SHA1 hash:	295bc6499380775bc8e77d17f2f8648a5fcb27eb
MD5 hash:	5e8c095c34e25469696703a6e16afa4c
humanhash:	alaska-oranges-zulu-july
File name:	5e8c095c34e25469696703a6e16afa4c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	305'152 bytes
First seen:	2021-07-15 09:51:06 UTC
Last seen:	2021-07-15 11:21:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c4091a010a717ca7ee4824b5dba50590 (1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	3072:G8L3///iIOrd4ANS1wNK76IDxWMrVrWTM1a6pIHljVmzOU7QATY5rhuCQZc/q75C:GMhEdlSWNK7CMBi4XpIqaaQAJbeqy9
Threatray	1'101 similar samples on MalwareBazaar
TLSH	T11654CF5076B0C037D5E34B70547687A0263BBD626670712E625B2F6E3E322D1366E3AF
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5e8c095c34e25469696703a6e16afa4c.exe

Verdict:

Malicious activity

Analysis date:

2021-07-15 10:03:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0c47cf85-843e-4779-b5bc-981ecdeb0e18

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/171952/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.563.27123.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c5230581-61f9-4e9a-b842-a988bd1746b5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/816801

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Potential time zone aware malware

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b56620688a7f68373fb56c30dcc017b6d8a45c2296846989a40c82c37e13cb9/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-07-15 09:16:38 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nnlgebuiu73ig473k3bq3tabpnwyurocffuenge2idecyn7bhs4q._file

Verdict:

malicious

RedLineStealer

2de5bd332d8d0c6b405cb6c8309858f67c33fc1db5ab1e36cf619f1c434bfd45

RedLineStealer

45cfc2ce1e033a00c42202e16a7ba83229688d49d7776e175488c56aade45558

RedLineStealer

49e784cd4664d480317bc3e726821d153e14ebc8b335cebce963ec427e4dcea9

RedLineStealer

7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8

RedLineStealer

78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16

RedLineStealer

d1393748b163640113850583346ee301192def81a399142aa276691eecd4314a

RedLineStealer

d59ae43affeee4773c89a3bddf6da80f88e86dc5c91184890864f97fc7cd5f5b

RedLineStealer

e876f64f562cb894ae5ae5ef8cddc4d126f94eb2013a06b3814f879f7be98970

RedLineStealer

+ 1'091 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 15.07 infostealer

Link:

https://tria.ge/reports/210715-zbbjwcg34a/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

2d4478cd245e0dc5d4b8f9be964ef101d74690f030822d6fcdc134f638cab60d

MD5 hash:

85ac82e34034415cf4e11190a02ea96d

SHA1 hash:

f20bccf2f9bcb7503d47d494a56f38542f6fe072

Link:

https://www.unpac.me/results/b6c127b9-c159-4727-949e-ff344a947659/

SH256 hash:

78ea237e12b2b9b74dcc007f70671cdc8b414a7d80670817f97aa305aa9da75b

MD5 hash:

e113aed75f475e1fa795599737391f92

SHA1 hash:

9292b0f6e53b5b19e70510a5a8d83fb26be0933f

Link:

https://www.unpac.me/results/b6c127b9-c159-4727-949e-ff344a947659/

SH256 hash:

6501d315ebce110bd72f72b58bad753c8f1328f22794f4edd10675415f4e8b90

MD5 hash:

d31e2f9e65ae1d233bbe284f20f6a834

SHA1 hash:

12f3ed4e72075a2a7d709a744953966e13fd65b1

Link:

https://www.unpac.me/results/b6c127b9-c159-4727-949e-ff344a947659/

SH256 hash:

6b56620688a7f68373fb56c30dcc017b6d8a45c2296846989a40c82c37e13cb9

MD5 hash:

5e8c095c34e25469696703a6e16afa4c

SHA1 hash:

295bc6499380775bc8e77d17f2f8648a5fcb27eb

Link:

https://www.unpac.me/results/b6c127b9-c159-4727-949e-ff344a947659/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b56620688a7f68373fb56c30dcc017b6d8a45c2296846989a40c82c37e13cb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.