MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eefafe85ed6277d9c6abd81fa1ef7969c2ce6767c609baafc79206f78d13685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	7eefafe85ed6277d9c6abd81fa1ef7969c2ce6767c609baafc79206f78d13685
SHA3-384 hash:	8bfc3b32a495aad6521175556683e076b529c6a8b1276c77218548f66ff1f4781c90f034cbd76f1485673eb57760af02
SHA1 hash:	bb2bbf24fd2cdbe86f16c1bf08563886b73170bb
MD5 hash:	0adaabe4a156ee49011937d128b7bfec
humanhash:	alpha-freddie-august-spaghetti
File name:	0adaabe4a156ee49011937d128b7bfec.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	293'376 bytes
First seen:	2021-03-19 07:40:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fadb03432906cb0b1086222508551a23 (2 x Stop, 1 x RedLineStealer)
ssdeep	6144:SBdn9R0mV8KABQQSIeghx5Jo9FbDv+5Elmr:y0m+DFsuO/OE8r
Threatray	410 similar samples on MalwareBazaar
TLSH	2554E011F2D1C432C095267E4861C6B66936BCB55F21CAC77BC43F5E8EB12D29A3634B
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0adaabe4a156ee49011937d128b7bfec.exe

Verdict:

Malicious activity

Analysis date:

2021-03-19 07:47:22 UTC

Tags:

rat redline trojan

Link:

https://app.any.run/tasks/5348e0d1-5ff9-4d89-95ea-3acbd6c4770b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/125597/

Detection(s):

SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL

Win.Malware.Ulise-9844930-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Connection attempt

Sending an HTTP POST request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/30f69abf-e4f1-42ad-87fa-c866195d06bb

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/645790

Signature

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7eefafe85ed6277d9c6abd81fa1ef7969c2ce6767c609baafc79206f78d13685/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-03-18 17:54:00 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p3x272c62ytx3hdkxwa7uhxxs2oczztwprqjxkx4peqg66grg2cq._file

Verdict:

malicious

RedLineStealer

0b3126faa1c9aefa49138147a91524c66e466f572dcac2e0121c53a187ccb076

RedLineStealer

254f8a160343897dc3e748af2f4c2164455afe3daaa75654c0a7e13483a43f0c

RedLineStealer

4de20c5375b9f484f3c764bc62721329813692e6441060fa1674ecec0f13584b

RedLineStealer

6c82ad6d2ac4bc7ca366d3a79bdaf96256352205ad6d645fe31ee98a1dfb1a8b

RedLineStealer

8726eeaad39b500f79072e8da7510e2b136bbc40c5ce31ab33e505beec1fc644

RedLineStealer

9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9

RedLineStealer

d397561a5bb963a3bdff021676cad184c81e4ad6fee1601d15924f144fe1e73a

RedLineStealer

d3e7387c7a11a1f82b133b18bf2e3972617ecb3ea29e7366c93024d1fc4af6ab

RedLineStealer

ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42

RedLineStealer

+ 400 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210319-ejz9glbdt6/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

Unpacked files

SH256 hash:

edea666b263924768826a6aab01256fd033aed40d65ac1280584dc85e4e0eaad

MD5 hash:

595c03533c3a5fae3f82deeb6044531e

SHA1 hash:

d3dddd1f0a837c99d307bbf02c3ce5738871db8b

Link:

https://www.unpac.me/results/565399e8-3f96-414a-82e0-599521d45acc/

SH256 hash:

22cca2ec16050fe90fdc7236066719dde2df8f411bf8f7e0c40c26e26ab89c32

MD5 hash:

4295d4b649175fd4ca8d2416f390718a

SHA1 hash:

8d1b3e5e15c96dea2923e8b0a7cdf75eac9d815b

Link:

https://www.unpac.me/results/565399e8-3f96-414a-82e0-599521d45acc/

SH256 hash:

d444401f7f9a9f7dec83d02e75a2b9b5d8b665a061e298c8044ea227ccc58a28

MD5 hash:

8af62f5b5ab5225bce86cdb89f763000

SHA1 hash:

2a6a2dab6fdfa52cf250dcf95f9afabd61619c91

Link:

https://www.unpac.me/results/565399e8-3f96-414a-82e0-599521d45acc/

SH256 hash:

7eefafe85ed6277d9c6abd81fa1ef7969c2ce6767c609baafc79206f78d13685

MD5 hash:

0adaabe4a156ee49011937d128b7bfec

SHA1 hash:

bb2bbf24fd2cdbe86f16c1bf08563886b73170bb

Link:

https://www.unpac.me/results/565399e8-3f96-414a-82e0-599521d45acc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7eefafe85ed6277d9c6abd81fa1ef7969c2ce6767c609baafc79206f78d13685

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.