MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 877c1cec3dce25939698f1f459f4b68a1d9ecdb3c7ebc82f241e136ead494731. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	877c1cec3dce25939698f1f459f4b68a1d9ecdb3c7ebc82f241e136ead494731
SHA3-384 hash:	42df1f987139908e3f54e591bd9285d1a3e39b315380ee3e99fac5da5d040ffe237d592d40dad1efe237a146f221319a
SHA1 hash:	594e82bc38520f9b050a01b067fdbf17104a2713
MD5 hash:	bf7b442e39bbeba29db2b591c63e7822
humanhash:	foxtrot-nevada-early-stream
File name:	bf7b442e39bbeba29db2b591c63e7822.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	396'800 bytes
First seen:	2021-03-05 14:30:20 UTC
Last seen:	2021-03-05 16:42:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8c6ccc47ce007ce69fe73984f41fc799 (1 x RedLineStealer)
ssdeep	6144:RLl+OdfHYQC4grMTVco8vZy7Ae8LuX8D1UNEGmiV+pSLqAlsc0/RLnR4jWnai82F:RZ1FHYQC4pVco8Ry7Aec1UCGgn5n4PA
Threatray	380 similar samples on MalwareBazaar
TLSH	2584BF10E7A0C034F5F622F85A75C3B9A52D7BB0A72490CB62D127EA97346E1AC31F57
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bf7b442e39bbeba29db2b591c63e7822.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-05 14:37:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2cc71fbb-b1f2-48d0-9b8e-37d1adf58ecb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/122517/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.31253.31641.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Connection attempt

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/629934

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Potential time zone aware malware

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/877c1cec3dce25939698f1f459f4b68a1d9ecdb3c7ebc82f241e136ead494731/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-03-05 14:31:07 UTC

AV detection:

16 of 47 (34.04%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190

RedLineStealer

3a77d697b35b9de741ac611c904aca942a17d4ac8f786f4f9b9532dec277a8f6

RedLineStealer

3d2d9b8e5738024ffaa470410dfae954d73f049fdb2619be6864e399f3da6390

RedLineStealer

475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2

RedLineStealer

4b6db0ab009cf8babc3d2f5390b8dba1ae7367c24cb0988dd96d04a4b25a2b4a

RedLineStealer

58472769f4701ccaef3d6cb6e32317f49a680dfaf1dc7ac1e8de76a02b41c7f3

RedLineStealer

b3c2ed1edebee42767277652dbdb2c3c17c3b33707c975b1679e956658701825

RedLineStealer

e273f65f5eff32aa37c8e88a9cc825b4826eabc8b8e708d850a0b4a3bdd60b8a

RedLineStealer

f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48

RedLineStealer

+ 370 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210305-hq9l72mka6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

4c160874473ea890da29feae630ae01b513d010424f03fbe68fd36348425b46d

MD5 hash:

c55acf224fcd3c6f126571328333da26

SHA1 hash:

92c1ea3bfcab4d5c6aef2a29de871c4d193f6012

Link:

https://www.unpac.me/results/d8639aaf-b3c8-444a-9f13-0a52cddeda98/

SH256 hash:

b88a450ce3914d1502081bccbe70e6a8920b2089689688fd2356cc2dcef8724e

MD5 hash:

b6fd195fa14df407bafafec4a36dd3e4

SHA1 hash:

62f03981053a6075e396c8feae897b4be9fea186

Link:

https://www.unpac.me/results/d8639aaf-b3c8-444a-9f13-0a52cddeda98/

SH256 hash:

70db5ea41576ad347869e691a7896760a5228695be9e962345e376c47d6e87d6

MD5 hash:

e6bc17c39f5e9d79afce0304c3340282

SHA1 hash:

22d948eb49356c5a932ca7a2ddb5608b38266050

Link:

https://www.unpac.me/results/d8639aaf-b3c8-444a-9f13-0a52cddeda98/

SH256 hash:

877c1cec3dce25939698f1f459f4b68a1d9ecdb3c7ebc82f241e136ead494731

MD5 hash:

bf7b442e39bbeba29db2b591c63e7822

SHA1 hash:

594e82bc38520f9b050a01b067fdbf17104a2713

Link:

https://www.unpac.me/results/d8639aaf-b3c8-444a-9f13-0a52cddeda98/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/877c1cec3dce25939698f1f459f4b68a1d9ecdb3c7ebc82f241e136ead494731

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.