MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79483b08967ab9788038c345291a6fe61ba4f65b3594de2d4f47b50a486accba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79483b08967ab9788038c345291a6fe61ba4f65b3594de2d4f47b50a486accba
SHA3-384 hash: 1479521bcc81bae0dae7a9597adbc690615435c3b25f6e315f8c8d6d997d8910b4dc5ead0ae04b444c89bf359e66bbbd
SHA1 hash: 3f52176af2d5abf15ab6d4f5686f7a5558a82a7e
MD5 hash: ed3f7af80a20441c4ec9cfd7e6a05057
humanhash: dakota-mars-equal-twenty
File name:ed3f7af80a20441c4ec9cfd7e6a05057
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:398'848 bytes
First seen:2021-06-17 04:52:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ab857f73c9912dee0698f559b75c172 (8 x RedLineStealer, 1 x Glupteba, 1 x FickerStealer)
ssdeep 6144:YQbkL3USjObO/lEn+gzctCpI+Jatn7PLI+UtzBnyWCXn6hzXG:YQbkL3DObO/qpw80PLIptzRyWMz
Threatray 1'372 similar samples on MalwareBazaar
TLSH 8B84AE11A7A0C038F1B312F55A7963F9E52D7AB0673890CF52E52BEA56386E0EC31747
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.110:5698 https://threatfox.abuse.ch/ioc/131637/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ed3f7af80a20441c4ec9cfd7e6a05057
Verdict:
Malicious activity
Analysis date:
2021-06-17 04:54:30 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/95299dc8-150f-416c-bee1-a9f34cccc3d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Pwsx-9872132-0
Create hunting rule

Win.Malware.Generic-9872139-0
Create hunting rule

Win.Malware.Generic-9872154-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b42c7fe3-565c-4e5c-b3ae-25b8bc827913
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803471
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79483b08967ab9788038c345291a6fe61ba4f65b3594de2d4f47b50a486accba/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 05:31:55 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfedwcewpk4xrabyyncssgtp4yn2j5s3gwkn4lkpi62qusdkzs5a._file
Verdict:
malicious
Similar samples:
0acd7696d5dc482aa3b4110fd60c6b9f2df88545f6cf9986714a984673965249
RedLineStealer
1f090615b025ca978616652c41369f2331100c7650dabd92ee0fa650f29de47d
RedLineStealer
2cd806676a941c35dafb31a02bfd75d6acecc3c6fb8567fe2b5c1e41bd6a59e3
RedLineStealer
7ff8de714cd1be1409b0c13a946c21f945a0bfdc8fd7e0b1a0f4e20f3ba0e80a
RedLineStealer
8868ce65c7fb73b3b89c48f97e16249139f94e759ff44d955e493f0651ae5f3b
RedLineStealer
a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b
RedLineStealer
ad1349f4c6eed7853d49d7b957ac4d5a0625080d5786b59d17ab7c9614ed8dcd
RedLineStealer
b4ea43c602bde1888827885b6826e461b3e6e449ae45f62d64834e2eb0308635
RedLineStealer
c7d64e661c96d03e4b08bf7edb1e9667743133eb72207f19ebfe3f4cb6c7a4b7
RedLineStealer
d2e0e8c973c2e376d189271f581d1ffec730f8ca41dfc1e3d9ef0b675366ee9a
RedLineStealer
+ 1'362 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210617-adfyjd4956/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
3cf6939b9ed38b40528be9d96ad346c11e3be490c189228b410b7513aafd0178
MD5 hash:
b51d312de6aa676b358392db4147e455
SHA1 hash:
f27f50cabd6523af9cf02ef9144baf5aa0b232ba
Link:
https://www.unpac.me/results/7098aef7-6fad-4328-b54c-f55c1ae7f4f8/
SH256 hash:
6031886bf45520ee13d04a5f9dddb9e33bb3edb09e561c38c4d717c2ca312ff7
MD5 hash:
3c0b03c7f50c4f9c50fb54d994abb79c
SHA1 hash:
c3daef2e2bcd7ca48c169e93827b4f510bb7fcb1
Link:
https://www.unpac.me/results/7098aef7-6fad-4328-b54c-f55c1ae7f4f8/
SH256 hash:
f9afebd978bad41dc04734599b3f65b13d75da4c637e42dbab5492dc5c0fcd01
MD5 hash:
e670d37420c1719b46920eb398300945
SHA1 hash:
9c08287042207479d44fb01a48f4bb8c68850526
Link:
https://www.unpac.me/results/7098aef7-6fad-4328-b54c-f55c1ae7f4f8/
SH256 hash:
79483b08967ab9788038c345291a6fe61ba4f65b3594de2d4f47b50a486accba
MD5 hash:
ed3f7af80a20441c4ec9cfd7e6a05057
SHA1 hash:
3f52176af2d5abf15ab6d4f5686f7a5558a82a7e
Link:
https://www.unpac.me/results/7098aef7-6fad-4328-b54c-f55c1ae7f4f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79483b08967ab9788038c345291a6fe61ba4f65b3594de2d4f47b50a486accba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 79483b08967ab9788038c345291a6fe61ba4f65b3594de2d4f47b50a486accba

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1372257/

Comments