MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70b1258213ac2f4bf8d31993ac1fb61fe7aec5104c9f16986461fa73793b8c7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70b1258213ac2f4bf8d31993ac1fb61fe7aec5104c9f16986461fa73793b8c7f
SHA3-384 hash: b470a831e313187a5b320f7cc48f51f4e3c2bfb7ad23718f90a471e1a7a36dd3417a22b5265c6471fb89ffdc3fbb15c8
SHA1 hash: 898eafd7fa13660a0f41f2aa8dd0084b61059e61
MD5 hash: 0c6ca1305bbce0bb9aace7687cace11b
humanhash: rugby-robin-september-eleven
File name:0c6ca1305bbce0bb9aace7687cace11b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:411'648 bytes
First seen:2022-07-23 15:54:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bd7488899c0446f9369c1cbdc5054c4 (5 x RedLineStealer, 3 x Smoke Loader)
ssdeep 6144:3mRsM46OLYYEQ6r8DZU/5TMTBUf3yXRnMjDLR7G39kRUPmUUADxhduL4:2DdMYYEQ6ry+5Y+f3oa56y4FUY
Threatray 7'037 similar samples on MalwareBazaar
TLSH T1CE94CF00B790D435E0B716F849BA93A8B92D7EA0A73450CB62D53AEF47386E4DD3131B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
433
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293701/
Detection(s):
Win.Packed.Generic-9956955-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27201/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62dc1a050e298a94f3f3eebe/reports/526e71bb-66fc-499e-b138-df9f825a570f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b822b4cd-d6e4-497b-9da1-e84d3dfa69d3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1039782
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70b1258213ac2f4bf8d31993ac1fb61fe7aec5104c9f16986461fa73793b8c7f/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 16:39:01 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocyslaqtvqxux6gtdgj2yh5wd7t25riqjsprngdemh5hg6j3rr7q._file
Verdict:
malicious
Similar samples:
12ee887170eb077553cfb8ab8952c4af4508bbaffcd60f0b84762399dda49878
RedLineStealer
331d8343af5408c6b41ba24ba6d86f4d448429f63abcfb15e412856a3b2db758
RedLineStealer
45b1fb24613d29274f7f4ea10d40b89fbae678e619fa705084882c3c58cd038f
RedLineStealer
46b4ca62ae280671dcf6892d1aedba59679245ce2cf2a6f9c67f1bf68999bd88
RedLineStealer
653d5351b00090f3574a9e6406cf17b0646887f17c404e3665ec645d1c3e9e68
RedLineStealer
a1dfa32c0b772861a24e81ab34c3d06b1d0353848b0b85072d2373465722e291
RedLineStealer
b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01
RedLineStealer
c2de896fdee30c2643e569423bb22ad1d372c828119874093bfcdb3653b4d673
RedLineStealer
e0371138f8d3cab1016ffc6013676fb7a4371937d68da7a38a46a11b69f18607
RedLineStealer
+ 7'027 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
2db63901f401bcfdda2a4c66d5854d56c17d604c96b4c2244acf8bc918d1d51b
MD5 hash:
5d6d87ae672e9f000e31cfe8da1b6f96
SHA1 hash:
8b66391d93ca715f217551b3eddf0acf717b163b
Link:
https://www.unpac.me/results/188d1405-e9bc-4e2a-8030-f9ad5e2005bc/
SH256 hash:
07428165052e171dcff87377dec2bce3f634917fb54c2609f4e9cf574858cf93
MD5 hash:
9b79ecdff2be08d18279e78aa4ce81d9
SHA1 hash:
4dee6cd4867c388ae43f5995b35c0e0326500753
Link:
https://www.unpac.me/results/188d1405-e9bc-4e2a-8030-f9ad5e2005bc/
SH256 hash:
902292b3a05fc21c8fdcca590ffbc6184566d41ce25d14c87d6adcfcf56083b5
MD5 hash:
5aedf200b2b820f5bd693ee3cabf767a
SHA1 hash:
15cb288b362d4941e31b4ffbd04787daf1d89647
Link:
https://www.unpac.me/results/188d1405-e9bc-4e2a-8030-f9ad5e2005bc/
SH256 hash:
70b1258213ac2f4bf8d31993ac1fb61fe7aec5104c9f16986461fa73793b8c7f
MD5 hash:
0c6ca1305bbce0bb9aace7687cace11b
SHA1 hash:
898eafd7fa13660a0f41f2aa8dd0084b61059e61
Link:
https://www.unpac.me/results/188d1405-e9bc-4e2a-8030-f9ad5e2005bc/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70b1258213ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70b1258213ac2f4bf8d31993ac1fb61fe7aec5104c9f16986461fa73793b8c7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 70b1258213ac2f4bf8d31993ac1fb61fe7aec5104c9f16986461fa73793b8c7f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/293701/
  
URLhaus
https://urlhaus.abuse.ch/url/2260463/
  
Delivery method
Distributed via web download

Comments