MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 827dcd6eeff67fb8fd1322c9eeccc9558713bf83b4353669b3d7cc826cadf2f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	827dcd6eeff67fb8fd1322c9eeccc9558713bf83b4353669b3d7cc826cadf2f1
SHA3-384 hash:	1291b1580220a5ce1e1d17743578f4b0fabda6ff32e35e0a4f7ff886d9706d2b963a61b3cf0ab6390bdfbe5c2846140f
SHA1 hash:	9fa7f7ff7aaa0c62940c8cef149db5bed19d59c2
MD5 hash:	e04f6cf651fe11131d06392feeebad12
humanhash:	mango-robin-lamp-uranus
File name:	22817028.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	388'096 bytes
First seen:	2022-03-19 05:05:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8d72d9e8390e0a6fb409a21cc742651c (2 x RedLineStealer, 1 x Loki, 1 x ArkeiStealer)
ssdeep	6144:LC/2d0pg26H/u9U7ZwZuM1BKp4/elj/h60VM:LCumg2o/u9UqZ/Bwlj
Threatray	1'839 similar samples on MalwareBazaar
TLSH	T12784E1113685D833D152623C8D72C6754A7EBC71EA32E69B7F98072E5F712E2EA31342
File icon (PE):
dhash icon	327e7c7d767e6e62 (2 x RedLineStealer, 1 x Stop)
Reporter	adm1n_usa32
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/252897/

Detection(s):

Win.Malware.Filerepmalware-9939300-0

Win.Malware.Generic-9939374-0

Result

Verdict:

Malware

Maliciousness:

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/9771/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/623564c7b94fb38cb4aa46e8/reports/2eb6c1e1-bde2-4731-a4c9-ca8ae6ef5263/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Racealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6830e953-3f9e-4b42-93b1-91d69abaecc9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/960037

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/827dcd6eeff67fb8fd1322c9eeccc9558713bf83b4353669b3d7cc826cadf2f1/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-17 15:55:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

451f3d1b5f2823224e244d06c52423f0e68df54937a8cff948f28f307afe9cfe

RedLineStealer

63116a7686b86bf85bfc4e27fa6f465f8dea270f165c431cac19dd647579fbc5

RedLineStealer

813980ca5305ef5034e98b52596fddf3594108f4156f2057cb3d23b2b89e0ee2

RedLineStealer

8ce1822eb29553ebaf2c1ac7f628a0c2532296de28bdb31f38db617404e9fa5a

RedLineStealer

96d4f14f8d1be02a21feb4533eca4f270716e7b0feefe6e5a477454f13db99d1

RedLineStealer

c32c9b880976b25a9318b99cbcf9cabf1369e971c62a5642b4d13b9df6bf021d

RedLineStealer

+ 1'829 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/220319-frffhscbe2/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.87:33960

Unpacked files

SH256 hash:

86dfb006e9c376159d7cb9e047216fb7bf17b0989a4e2cdce00fec181a4a1291

MD5 hash:

460211f5c9e5c4ba0e9a026237dfb2b8

SHA1 hash:

f8066690626813f18fdaba095a1e60da78530fbc

Link:

https://www.unpac.me/results/54ff2a75-8e02-411f-b45f-311f0a93611a/

SH256 hash:

4962c72f5441dc5942cf2c354b0ee582de0adc124f786e84965e6d9e702acce8

MD5 hash:

a69c9f080b8ff8ed1c32d2c24e740e5e

SHA1 hash:

b34d1891178e034282cf7c1143feb229b2fe15dd

Link:

https://www.unpac.me/results/54ff2a75-8e02-411f-b45f-311f0a93611a/

SH256 hash:

aac4675b95e51b002da2489869e772f69ab6aa86d4e5d0b7b88f73615ff33f35

MD5 hash:

9bd118016f38b8471cc2d5f6d53170b6

SHA1 hash:

ad6f735833971cd8a8a48cc32e828a9f69aee406

Link:

https://www.unpac.me/results/54ff2a75-8e02-411f-b45f-311f0a93611a/

SH256 hash:

827dcd6eeff67fb8fd1322c9eeccc9558713bf83b4353669b3d7cc826cadf2f1

MD5 hash:

e04f6cf651fe11131d06392feeebad12

SHA1 hash:

9fa7f7ff7aaa0c62940c8cef149db5bed19d59c2

Link:

https://www.unpac.me/results/54ff2a75-8e02-411f-b45f-311f0a93611a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/827dcd6eeff67fb8fd1322c9eeccc9558713bf83b4353669b3d7cc826cadf2f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.