MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87e6c51ce73a292f9a12dd88cb4873a34226c0822ac5a4190de89d9ef9413ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 9 File information Comments 1

SHA256 hash:	87e6c51ce73a292f9a12dd88cb4873a34226c0822ac5a4190de89d9ef9413ed6
SHA3-384 hash:	c42d1e15e0d74d3d7c8be07713bd09a71978ab3cca1a6d013c62832d77b66bb54ec6c858aae0928d5c5f4ba393df83c8
SHA1 hash:	a6e4e4245dec2a68c44a808467f7028cf21f45a2
MD5 hash:	c12837efdfdb3f15fb5c487ed3bbbee4
humanhash:	india-missouri-lactose-queen
File name:	c12837efdfdb3f15fb5c487ed3bbbee4
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'333'288 bytes
First seen:	2021-08-14 05:08:25 UTC
Last seen:	2021-08-14 05:44:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	98304:A2U+vPS1JjHwAHrUXMEk2YSDDqqRaqvZ1K:pkjH1HrYoSDD1Raf
Threatray	1'131 similar samples on MalwareBazaar
TLSH	T1F0F5230173DA5930E5BA4671D0E240205FB2BE1A65F1D21E2EB0FA0E1E70786DD7FB66
dhash icon	d998bab89888e470 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c12837efdfdb3f15fb5c487ed3bbbee4

Verdict:

Malicious activity

Analysis date:

2021-08-14 05:11:14 UTC

Tags:

installer trojan rat redline stealer

Link:

https://app.any.run/tasks/edce71fd-e5dd-4f1a-919d-2fce03d6496b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/179134/

Detection(s):

SecuriteInfo.com.VHO.Backdoor.Win32.Agent.gen.23699.27191.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Connection attempt

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a window

Creating a file

Sending a UDP request

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9f389b9a-38de-43f9-8529-b139410aec91

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832760

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/87e6c51ce73a292f9a12dd88cb4873a34226c0822ac5a4190de89d9ef9413ed6/

Threat name:

ByteCode-MSIL.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-14 01:50:48 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q7tmkhhhhius7gqs3wemwsdtunbcnqecflc2igin5coz56kbh3la._file

Verdict:

unknown

RedLineStealer

3cb8753735a439dad2d7ab713cde180e9f253c6099ad7a628e1b16564693da0a

RedLineStealer

5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129

RedLineStealer

61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948

RedLineStealer

6bf5f4826e8a08a51efd8c251af36a1730d57487a0e598dbd74b6fbe8a11d7ed

RedLineStealer

966587a4421c9d7cab7b5defc79a47e7c319f0bd4166678d3a0425b85ca540bb

RedLineStealer

a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e

RedLineStealer

f1df708a846482e0d856754d5178d80109b068dc589494e6e831e2cfa2148b30

RedLineStealer

+ 1'121 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery evasion infostealer spyware stealer themida trojan

Link:

https://tria.ge/reports/210814-hqvwen1f7n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

Unpacked files

SH256 hash:

dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a

MD5 hash:

c02a029c978f13b753c6b578b1588c75

SHA1 hash:

e125d59451e7f467bfd329a00a506decbcd91d83

Link:

https://www.unpac.me/results/09a6300c-47c3-4e52-9a09-42746c33074e/

SH256 hash:

87e6c51ce73a292f9a12dd88cb4873a34226c0822ac5a4190de89d9ef9413ed6

MD5 hash:

c12837efdfdb3f15fb5c487ed3bbbee4

SHA1 hash:

a6e4e4245dec2a68c44a808467f7028cf21f45a2

Link:

https://www.unpac.me/results/09a6300c-47c3-4e52-9a09-42746c33074e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/87e6c51ce73a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/87e6c51ce73a292f9a12dd88cb4873a34226c0822ac5a4190de89d9ef9413ed6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_new_mem Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)