MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b31e9a3eb1d1b86583a4ce6df3e7acc24fac0c6ad9bf484b0158a508476c7b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b31e9a3eb1d1b86583a4ce6df3e7acc24fac0c6ad9bf484b0158a508476c7b8
SHA3-384 hash: 67e91a9de8a00a429ab2645d09509ba1094872cc7729bb7a5a49db63eabe1f486f600e7e79af0e91cac5a0513bfb327a
SHA1 hash: c8920d9149d4467b4967230e66e7cdf4edd132d5
MD5 hash: 6488c5b8360a5af1c1d0881b5659c566
humanhash: johnny-november-north-west
File name:6488c5b8360a5af1c1d0881b5659c566.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:433'152 bytes
First seen:2021-04-02 18:14:42 UTC
Last seen:2021-04-02 19:09:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e24e904811fb698170d02c0338dab33 (1 x RedLineStealer)
ssdeep 6144:6pfmPCmy7iW9tKGQGAR0GJ9V0w1sf3/a3zNVNzyjjMXUN:6puy7iW9tKGH+HJ9V0wKvAtGMkN
Threatray 415 similar samples on MalwareBazaar
TLSH 0094CF11B7D0C032D1A36476892AC7B15EBF78712A355ACFBBC55FBA1F202D09B26316
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6488c5b8360a5af1c1d0881b5659c566.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-02 18:24:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/68d5f685-0b7e-42a3-aab0-18538e4cedd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/131849/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.64212.9678.7243.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3cbc3896-b47f-4a0f-b4c5-5fdc17439749
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/664077
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b31e9a3eb1d1b86583a4ce6df3e7acc24fac0c6ad9bf484b0158a508476c7b8/
Threat name:
Win32.Trojan.Fugrafa
Create hunting rule
Status:
Malicious
First seen:
2021-04-02 10:17:03 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0f1153b16dce8a116e175a92d04d463ecc113b79cf1a5991462a320924e0e2df
RedLineStealer
475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2
RedLineStealer
676593610aafb444bd3b06028cbe14c0f1bb08d621da061609436d0afbe536fb
RedLineStealer
6846c70c5392556654844ce2e05e68f248432176c88d2b92f44b1b487c6b7db3
RedLineStealer
808be962b671de3c658a363c3ca14ea5181d3669f0a23f0263a175e9416daab5
RedLineStealer
96802cd1e7ee797e260cf5379cdd8526379b6ab1c396c21f1db1dae4ca111e93
RedLineStealer
bc80d1fb5849235c0a8f7938a972f1fae4cb52cbe418b7be6229512f3a3c1373
RedLineStealer
c7d64e661c96d03e4b08bf7edb1e9667743133eb72207f19ebfe3f4cb6c7a4b7
RedLineStealer
d1b41547f2fd4a9706c60b58d264e37481ae25a8a0fc8dd2ac3599f4d309f297
RedLineStealer
f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48
RedLineStealer
+ 405 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210402-hwstjrzxrj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
dbdaeb68f4052b85be499db1dab92a89ba34253aa235265172f72b4243599627
MD5 hash:
5ea94ee19026817ebea684fec3d9f703
SHA1 hash:
d47ae21aab10b03568b65df2f6c5d5b13fdd816e
Link:
https://www.unpac.me/results/81cb3832-a8e4-48b0-b9e9-1c8b639f3c79/
SH256 hash:
97599131e1d66fdbb29bdec49c682a57520e900d7e98cc8d26a70585bb1044b0
MD5 hash:
d795fbe6ea9890b3083baf04f3060312
SHA1 hash:
6b7e0bd8e89f610ccd09d1a7b353f139aadbc0d6
Link:
https://www.unpac.me/results/81cb3832-a8e4-48b0-b9e9-1c8b639f3c79/
SH256 hash:
fdf9d59370e5982ce6ac5001b317c2f2aa504553745fd87a3d36b09fd8590a48
MD5 hash:
ac1d3d7e15b1cc75a09aba930bc5e00a
SHA1 hash:
21cd568cde30a9b000ec14721f42d63cd4190b22
Link:
https://www.unpac.me/results/81cb3832-a8e4-48b0-b9e9-1c8b639f3c79/
SH256 hash:
7b31e9a3eb1d1b86583a4ce6df3e7acc24fac0c6ad9bf484b0158a508476c7b8
MD5 hash:
6488c5b8360a5af1c1d0881b5659c566
SHA1 hash:
c8920d9149d4467b4967230e66e7cdf4edd132d5
Link:
https://www.unpac.me/results/81cb3832-a8e4-48b0-b9e9-1c8b639f3c79/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b31e9a3eb1d1b86583a4ce6df3e7acc24fac0c6ad9bf484b0158a508476c7b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7b31e9a3eb1d1b86583a4ce6df3e7acc24fac0c6ad9bf484b0158a508476c7b8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/131849/
  
URLhaus
https://urlhaus.abuse.ch/url/1056715/
  
Delivery method
Distributed via web download

Comments