MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7422c3cb2a3829fcc4906445566d4290fea9ef16c1591ca1846e91524b26bbd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	7422c3cb2a3829fcc4906445566d4290fea9ef16c1591ca1846e91524b26bbd0
SHA3-384 hash:	695b41ae8d7437968f3dda731157431d93903293fe7158f8a54402eaed52dcf8ffb99606dca93d8e10020f7a11d7c7a8
SHA1 hash:	ef6ad320a6b7556f4ba9a4612682466438dcb289
MD5 hash:	568674aca55b1eae0c7ff793d2627d6b
humanhash:	network-nineteen-minnesota-dakota
File name:	568674aca55b1eae0c7ff793d2627d6b.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	390'144 bytes
First seen:	2021-06-03 16:39:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	788842c19811b0f2f6994735b8f363a4 (3 x RedLineStealer, 3 x Stop, 1 x ArkeiStealer)
ssdeep	6144:MxzOImoWq1jrBKDwDPRMInJvl8qD+d7ApR6iocDjD3O:Mxzfmt2jrBBDPhd28ksMiJS
Threatray	746 similar samples on MalwareBazaar
TLSH	EA84AE10B7A0C034F5F312B45ABA92B9A63D7DE16B2450CBA2D42BEA57746E0EC31717
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

568674aca55b1eae0c7ff793d2627d6b.exe

Verdict:

No threats detected

Analysis date:

2021-06-03 16:43:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/16d68199-23ce-4972-88ce-d76974cd1746

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/164477/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/796856

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7422c3cb2a3829fcc4906445566d4290fea9ef16c1591ca1846e91524b26bbd0/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-06-03 03:29:26 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oqrmhszkhau7zreqmrcvm3kcsd7kt3ywyfmrzimen2iveszgxpia._file

Verdict:

malicious

RedLineStealer

163dae89612fd1f3887488daaee0ba0997ad6f848713c4bacac96203a1ae5311

RedLineStealer

1717d636a9ae487756c241683be10b6e97eac9551b44160a104746a026e8a1e4

RedLineStealer

43a38e0f15c22a94dec67acce84a2cbed685b8c58014ee4a432dad8f9e550a7f

RedLineStealer

604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004

RedLineStealer

7ff8de714cd1be1409b0c13a946c21f945a0bfdc8fd7e0b1a0f4e20f3ba0e80a

RedLineStealer

d460839a01093007c634bbca24ac143244b9f6d2b4943ea9aa292600884836ce

RedLineStealer

e350e3c70db30c91aadc46298cd2563c05dc20e2113416a3e7b9b60ef22ae6d5

RedLineStealer

f036cd620b335151bb675c3478c9f945562e7eb46b0f8ac816da9999e8faffae

RedLineStealer

f29a98849772d487f462daadc5072112353b52fa17ffeac2d2e8d669fcffe573

RedLineStealer

+ 736 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210603-mhj13pshmn/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

49.12.42.196:12598

Unpacked files

SH256 hash:

a526722c6099065dbaf2f4d07af7e6af1659ad914fab655a30ed5ff32b34d422

MD5 hash:

96659e1fa9ad47a840e475a3c1de6104

SHA1 hash:

e6f99b504d933dc11254e8b64b530110ba3b0f47

Link:

https://www.unpac.me/results/811931cb-0123-404f-b561-8fac27d6e523/

SH256 hash:

b128d33e55cc7119ef8827d59d707b277d2cd9592df49f8c972bc56d47e2fa70

MD5 hash:

9ec8b96a1a068a1ec4c3463dabbd108e

SHA1 hash:

ad39cfabdb522c52838e5d142d4f0c74655fe981

Link:

https://www.unpac.me/results/811931cb-0123-404f-b561-8fac27d6e523/

SH256 hash:

c18694f035b34ecbbadaf767076a70cff45bb39caf794a827a6e5d652c320e52

MD5 hash:

d237daf497c4bbc01c1e14514b4a908d

SHA1 hash:

50429b1b0e8e7180f1dcde2bff6821897ace3825

Link:

https://www.unpac.me/results/811931cb-0123-404f-b561-8fac27d6e523/

SH256 hash:

7422c3cb2a3829fcc4906445566d4290fea9ef16c1591ca1846e91524b26bbd0

MD5 hash:

568674aca55b1eae0c7ff793d2627d6b

SHA1 hash:

ef6ad320a6b7556f4ba9a4612682466438dcb289

Link:

https://www.unpac.me/results/811931cb-0123-404f-b561-8fac27d6e523/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7422c3cb2a3829fcc4906445566d4290fea9ef16c1591ca1846e91524b26bbd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.