MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cc24efd597157cc9dcede4fffc124a32bbe34c7216e1272c51d37a71180ce04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments 1

SHA256 hash:	7cc24efd597157cc9dcede4fffc124a32bbe34c7216e1272c51d37a71180ce04
SHA3-384 hash:	de0390a454d5e0dfac4fcd11457aa361a57f9cf75416122f23d9030e3824bbd2d3f769d91255548ddc88c7f33f702104
SHA1 hash:	abd38badba769f898f4eb151a958ed4bb9340702
MD5 hash:	313696e3546eb40247ca7b70dbb74ba5
humanhash:	sad-lithium-floor-beer
File name:	313696e3546eb40247ca7b70dbb74ba5
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	927'728 bytes
First seen:	2022-01-07 00:09:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d8306d9ed29cc894699fa4a350040e22 (1 x RedLineStealer)
ssdeep	24576:FddFqvC6Ck5Ctdtdi4Sx7NyQyKSsEKPQg78:vdFq6PBXXidsQJPQB
Threatray	25 similar samples on MalwareBazaar
TLSH	T15B1522053A40FCD5DC372379CA66DEF81F323DA5EDE4840B7062BF89767AC982619129
File icon (PE):
dhash icon	33332b17540f0f8e (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

313696e3546eb40247ca7b70dbb74ba5

Verdict:

Suspicious activity

Analysis date:

2022-01-07 00:13:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ce42d19b-c0a2-4782-9ccf-efc7e0032a95

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/217624/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.25055.8969.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

exploit overlay packed wacatac

Link:

https://www.filescan.io/uploads/61d784e01c0d769df9d4321f/reports/1f283c0e-6877-4184-95b4-2a11c8c69a76/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b35a650c-b17c-402a-b4ef-47ccdae356cb

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/916585

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7cc24efd597157cc9dcede4fffc124a32bbe34c7216e1272c51d37a71180ce04/

Threat name:

Win32.Infostealer.Reline

Status:

Malicious

First seen:

2022-01-06 16:36:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 43 (51.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ptbe57kzofl4zhoo3zh77qjeumv34nghefxbe4wfdu32oemazyca._file

Verdict:

suspicious

Label(s):

ryuk

RedLineStealer

36d1c7bd0d09f604463f4e5ed69d13242104989fcd38196acc9b20404ceb61b5

RedLineStealer

53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f

RedLineStealer

8385eb7b18a881dcfdb87406a92c19b5b39676f5de60859a4a4034cf91e21c6d

RedLineStealer

862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55

RedLineStealer

b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761

RedLineStealer

b7435f97f94aec61ae91c051a8395270e492cd48c3214fbb2180fad95b6600bb

RedLineStealer

ee0c781e4af18d8d80599abd9baa65861ff4920fee312b8af06d83fc91e9959b

RedLineStealer

f3f6a9292fb02c58a1c2a803845f04181658a539706ba03dfdb57404a40f1053

RedLineStealer

+ 15 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220107-af3h1sbfh4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

edb98e43fb7afe6ecc5224e02a5ab903a7b6ad58c4f9873de64032c63f533ffd

MD5 hash:

e1f2d64b5e88fe67d59a4398cf11d259

SHA1 hash:

902da849d54dbadc15df9584e7b3cbe498bc506d

Link:

https://www.unpac.me/results/08df27a2-a3e1-4046-b5a0-dee57181761c/

SH256 hash:

7cc24efd597157cc9dcede4fffc124a32bbe34c7216e1272c51d37a71180ce04

MD5 hash:

313696e3546eb40247ca7b70dbb74ba5

SHA1 hash:

abd38badba769f898f4eb151a958ed4bb9340702

Link:

https://www.unpac.me/results/08df27a2-a3e1-4046-b5a0-dee57181761c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.98

Link:

https://yomi.yoroi.company/submissions/7cc24efd597157cc9dcede4fffc124a32bbe34c7216e1272c51d37a71180ce04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.