MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f14dcd1c276f021ae900501a048f461ff849ef59dbc860339911a28ace7c757. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments 1

SHA256 hash:	6f14dcd1c276f021ae900501a048f461ff849ef59dbc860339911a28ace7c757
SHA3-384 hash:	127891493ac219e51d41405afb68940d3469a6a2ad82db825e721f7612044991443c10dcf84a934dc61a3633289b421c
SHA1 hash:	8645465d2518a399fb8babc9f0b39b260d8f04a3
MD5 hash:	0a3a43c545b504fca1908688bbe661a4
humanhash:	beer-five-purple-failed
File name:	0a3a43c545b504fca1908688bbe661a4
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	98'304 bytes
First seen:	2021-08-02 16:21:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	1536:mHB+zRmEOBKQUcSXWMiQ/HVWBRs3mW1kxSSmbf9Ba3xHTPyHddY83EtxbIj8EnGq:mwzRmE1QULWMiQ/QBRs3fkxSX1KxHbyn
Threatray	1'043 similar samples on MalwareBazaar
TLSH	T1F5A35D28A39C9B16E2FD4775667001294BF0E1CB6011EB4B9ED5B8DB2F72BC235059F2
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0a3a43c545b504fca1908688bbe661a4

Verdict:

Suspicious activity

Analysis date:

2021-08-02 16:22:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eeaf4993-46a9-4a98-88a5-007023afb349

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/175849/

Detection(s):

Win.Malware.Bulz-9880537-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f54bd778-c26c-4b8f-a848-043fc414dfbb

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/825629

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Multi AV Scanner detection for submitted file

Potential time zone aware malware

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6f14dcd1c276f021ae900501a048f461ff849ef59dbc860339911a28ace7c757/

Threat name:

ByteCode-MSIL.Infostealer.RedLine

Status:

Malicious

First seen:

2021-07-23 03:43:01 UTC

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n4knzuoco3ycdluqaua2ashumh7yjhxvtw6imazzsencrlhhy5lq._file

Verdict:

malicious

RedLineStealer

1fa4cb9ae67e44a4b628d71882b536d39fb3d7e1a73317c5d4e5d2c90da1a997

RedLineStealer

2ab38fdbe562dd5a6be9651562e1523dbf7f3fd7d720d57bc9a25b0e2b665640

RedLineStealer

5862f38c79bc816b3158d8171a1f54c156a4f0565d4b98a1ea5399c92b732464

RedLineStealer

7a875017c121897c46818f9388f3c8cad4ac574a3b217c1a056f74b333f138c6

RedLineStealer

88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902

RedLineStealer

89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2

RedLineStealer

a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe

RedLineStealer

ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d

RedLineStealer

fecf30cf57db17985193ff17ffca3697562215ac1b66d0c7cab2fa7c36c8cf5d

RedLineStealer

+ 1'033 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@bbakoch infostealer

Link:

https://tria.ge/reports/210802-fzdqqx7xhs/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.186.142.55:10425

Unpacked files

SH256 hash:

6f14dcd1c276f021ae900501a048f461ff849ef59dbc860339911a28ace7c757

MD5 hash:

0a3a43c545b504fca1908688bbe661a4

SHA1 hash:

8645465d2518a399fb8babc9f0b39b260d8f04a3

Link:

https://www.unpac.me/results/174d3029-e9bd-49bc-b852-9822e501795c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/6f14dcd1c276f021ae900501a048f461ff849ef59dbc860339911a28ace7c757

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)