MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 867586747162fa56a50a08f3057c9f35b89edcddd98df36f4bf421157abd6fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	867586747162fa56a50a08f3057c9f35b89edcddd98df36f4bf421157abd6fad
SHA3-384 hash:	79bb8fea047fabad91aa0f98303d519bf4286da4614e2ec78313fede26663b407e4a8d391f77cc3dd49d271111bd0b8a
SHA1 hash:	aca77cf566936fac9548905980066fb4826ff2b5
MD5 hash:	d0c397796f5d87deaaf6fb7e4844cc10
humanhash:	sad-may-violet-missouri
File name:	d0c397796f5d87deaaf6fb7e4844cc10.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	296'960 bytes
First seen:	2021-07-03 07:07:41 UTC
Last seen:	2021-07-03 07:40:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4a5c469b916f0cded852ffb52bb94d37 (1 x RedLineStealer)
ssdeep	6144:9pj9SeU+mvpt0i+/a4S6XAmqD0HLmxE9Sp:9x9SeU+y8/aGXAmqD0Hqfp
TLSH	2854E0117680C832C55241709CA4E7A1AA7EFD305AB7D94337951BAB9F313C3EE7A34A
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d0c397796f5d87deaaf6fb7e4844cc10.exe

Verdict:

Malicious activity

Analysis date:

2021-07-03 07:09:30 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/118b0d69-c579-444a-aafd-af475f20ed84

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/169506/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37177433.29886.4281.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4da68a6-f82e-4bfb-ab5e-c92ed6ebb75c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/811385

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/867586747162fa56a50a08f3057c9f35b89edcddd98df36f4bf421157abd6fad/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-03 02:27:24 UTC

AV detection:

26 of 46 (56.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qz2ym5drml5fnjikbdzqk7e7gw4j5xg53gg7g32l6qqrk6v5n6wq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pudt discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210703-akznfqftrn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

176.111.174.254:56328

Unpacked files

SH256 hash:

d3a86e8c7dfc6da4450f1a19e214637dc87e4bf9e0ad30034803ab80cace095c

MD5 hash:

cb5fc5dd3ba9fdd7af4b8eecf33f77d5

SHA1 hash:

d2bf6ecc946301c58381a88bf12d74204314b7e8

Link:

https://www.unpac.me/results/ec657167-d7c7-442a-89ed-b68c3114abce/

SH256 hash:

a3774922e16ff1224a3e509b6fffc7c1dabe5a9a680539608b78839e481d7f1e

MD5 hash:

651e96a0d52076aa5ed2d82739b5c9b1

SHA1 hash:

b1ccd75ad0feed1d11deecb72ef0abac5e3ecf09

Link:

https://www.unpac.me/results/ec657167-d7c7-442a-89ed-b68c3114abce/

SH256 hash:

e13e35685114980f612af2304d7916557b03dc43609ada58de42bfa1bd5929d1

MD5 hash:

d73b577cdc3854b7ba4b09f17a84e1db

SHA1 hash:

0b60823181914658cc07e8629fc9b5ddfcdf1fee

Link:

https://www.unpac.me/results/ec657167-d7c7-442a-89ed-b68c3114abce/

SH256 hash:

867586747162fa56a50a08f3057c9f35b89edcddd98df36f4bf421157abd6fad

MD5 hash:

d0c397796f5d87deaaf6fb7e4844cc10

SHA1 hash:

aca77cf566936fac9548905980066fb4826ff2b5

Link:

https://www.unpac.me/results/ec657167-d7c7-442a-89ed-b68c3114abce/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/867586747162fa56a50a08f3057c9f35b89edcddd98df36f4bf421157abd6fad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.