MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a468865ce935b1915a41482fa657990cd7b3772fc6fc3aebe5d684c14b9b06b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments 1

SHA256 hash:	a468865ce935b1915a41482fa657990cd7b3772fc6fc3aebe5d684c14b9b06b2
SHA3-384 hash:	5d511f0e6a049881d826877052c889a6dc86a674c92e7c34847775e4b987e38e3e36d4297f3101496dab7666a6364eb1
SHA1 hash:	82febe4d45b6098a0287713f01804a3be47d0dd8
MD5 hash:	514a8ebd895086b551a26dbcb8412f11
humanhash:	vegan-blue-sweet-batman
File name:	514a8ebd895086b551a26dbcb8412f11
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	361'472 bytes
First seen:	2021-07-10 12:37:27 UTC
Last seen:	2021-07-10 13:48:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6c0d15974efab5c1f0accb72f70a1d36 (1 x RedLineStealer)
ssdeep	6144:SioyiskdaJ246EVEBlYc4+B4KlCCWVme6O0AwlpUuJVZU:ktskd46ECEcP4KlUT6BbmmV
Threatray	1'140 similar samples on MalwareBazaar
TLSH	T169749E206AA0C035E2F706F5557593A8A83EBDB15F2481CBF1D57AEE26386D49CF0743
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

60e94c_EaseUS-Partitio.zip

Verdict:

Malicious activity

Analysis date:

2021-07-10 07:33:07 UTC

Tags:

trojan evasion loader rat redline stealer vidar opendir ficker

Link:

https://app.any.run/tasks/97f667f1-c84e-4462-bae6-db0371006065

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/170801/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop17.61603.9458.5636.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/beeefbd5-8f3f-41e7-8bfa-7e1873e7d903

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/814320

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a468865ce935b1915a41482fa657990cd7b3772fc6fc3aebe5d684c14b9b06b2/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-07-09 21:22:31 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uruimxhjgwyzcwsbjax2mv4zbtl3g5zpy36dv27f22cmcs43a2za._file

Verdict:

malicious

RedLineStealer

114858da0fd1b5ea7a2d05d6dbd8d6d752926a4bc912a297d97b5776746a31bc

RedLineStealer

49e784cd4664d480317bc3e726821d153e14ebc8b335cebce963ec427e4dcea9

RedLineStealer

7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8

RedLineStealer

78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16

RedLineStealer

7f26cbf3b8402f8971b26019089ec612ea4a50fe74b0afdfcde4b08062c99a03

RedLineStealer

bfbf6bb9393e511a06e90d432e7538059ae75f9f1525f0f503d1d0bec0d32124

RedLineStealer

d1393748b163640113850583346ee301192def81a399142aa276691eecd4314a

RedLineStealer

d34e63dbaeb352c7fbf69e3afcd140ca188aaf9492bbb209401bdbcc6028b07c

RedLineStealer

d59ae43affeee4773c89a3bddf6da80f88e86dc5c91184890864f97fc7cd5f5b

RedLineStealer

+ 1'130 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 10.07 infostealer

Link:

https://tria.ge/reports/210710-1f1yh67a8j/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

a6991045bf6f49bda74f2723e053a62879f73db5e8211f16c8c2a0b7ac7c7029

MD5 hash:

91f54bb22c3cd50f716c2de58baa7c96

SHA1 hash:

72bd0f4b22c6d3bcf306f8c68bd82fbf4177482b

Link:

https://www.unpac.me/results/8a0d18fd-c592-477f-aad4-a2cb7ff915cb/

SH256 hash:

5624fcc05e062ca1c7d2a975dd7f2ef8d6a51324d1cd984774e13e1ab35593fa

MD5 hash:

d432ca175ded2278252d3dac85d87265

SHA1 hash:

0d26dc00a9b09cee5fa6081fbfec9c4fad1963f8

Link:

https://www.unpac.me/results/8a0d18fd-c592-477f-aad4-a2cb7ff915cb/

SH256 hash:

7122e350f9ed56aa34f34089df3104330d2db6ca21ec396d17e3c8fb18001087

MD5 hash:

a0efdb09687f009ff9fb3a1b15539f9d

SHA1 hash:

0556538d0fd5f837c92aa757f6b08edb56635706

Link:

https://www.unpac.me/results/8a0d18fd-c592-477f-aad4-a2cb7ff915cb/

SH256 hash:

a468865ce935b1915a41482fa657990cd7b3772fc6fc3aebe5d684c14b9b06b2

MD5 hash:

514a8ebd895086b551a26dbcb8412f11

SHA1 hash:

82febe4d45b6098a0287713f01804a3be47d0dd8

Link:

https://www.unpac.me/results/8a0d18fd-c592-477f-aad4-a2cb7ff915cb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a468865ce935b1915a41482fa657990cd7b3772fc6fc3aebe5d684c14b9b06b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.