MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a51ddfebbff6f4599a904655a5bac8e51234c4f7e9c3d2faa4cbc24f1f94ec3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	a51ddfebbff6f4599a904655a5bac8e51234c4f7e9c3d2faa4cbc24f1f94ec3c
SHA3-384 hash:	Calculating hash
SHA1 hash:	Calculating hash
MD5 hash:	5aa5bddaeaead5ad575cc2d46e8bbd59
humanhash:	Calculating hash
File name:	5aa5bddaeaead5ad575cc2d46e8bbd59
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	465'920 bytes
First seen:	2021-12-16 23:35:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	Calculating imphash
ssdeep	Calculating ssdeep hash
Threatray	3'992 similar samples on MalwareBazaar
TLSH	Calculating TLSH
telfhash	Calculating telfhash
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/214693/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2323/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61bbcd3f6daa353fa3b6662d/reports/5a238679-8f8b-43be-87a6-5127cc71960b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7ac0432a-2781-4f05-8a86-dfd6ad48a238

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/908842

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uuo57257632ftguqizk2lowi4ujdjrhx5hb5f6vezpbe6h4u5q6a._file

Verdict:

malicious

RedLineStealer

61945cb0d37bfb32d2f818e6b118d9968213903e73570769eda83a4405c5d783

RedLineStealer

6c90a4a65b4d10539243734b9783c414e8a95501e1272e1ef1de6b0e284d5899

RedLineStealer

a78ca974527199f93fa840fb13ccfc1808fb5d8288fc717e9136f3aff43efeee

RedLineStealer

c974eeab955dc4b29b64ea2be87e77264709a243cd1953ed17b992ce37cbaaaa

RedLineStealer

ea19fbcf50356b81e6e2984caa0bf981b25cc4387fbb29868908ed2d5eb6f5b9

RedLineStealer

+ 3'982 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211216-3k7bzsdab5/

Behaviour

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.29:34865

Unpacked files

SH256 hash:

0727711b28d80749cc5724c6d3bdef01357810aa3dc61303294ea3546ccdaf0f

MD5 hash:

cfc89e21344bbd4cfd6c5e11b57d93eb

SHA1 hash:

cf004613aa350d8502dc1ca5d41dc6606cd6c887

Link:

https://www.unpac.me/results/082e9a27-8a84-486e-9fe5-e3eb5cf51cca/

SH256 hash:

5988d4391e150beed91ae8b6f76b05fff58e6dd54014b3d7164467583a0f9872

MD5 hash:

3643740f5969fd3363b0647b4680919e

SHA1 hash:

76fd8f51615258a5fc3a7705b31c091a0e053496

Link:

https://www.unpac.me/results/082e9a27-8a84-486e-9fe5-e3eb5cf51cca/

SH256 hash:

20e543980e2699a9fa0a68fef0ad7ab72d598b902e1eb85dfa3ccee361ab6d7e

MD5 hash:

a6d93c104ce35fd74943b5fa8a9750df

SHA1 hash:

756e77fd0e8c6243960e2a5617fe61e6a428e2f7

Link:

https://www.unpac.me/results/082e9a27-8a84-486e-9fe5-e3eb5cf51cca/

SH256 hash:

a51ddfebbff6f4599a904655a5bac8e51234c4f7e9c3d2faa4cbc24f1f94ec3c

MD5 hash:

5aa5bddaeaead5ad575cc2d46e8bbd59

SHA1 hash:

5f586dfead03d789d93b38103b00cc06a9d166b8

Link:

https://www.unpac.me/results/082e9a27-8a84-486e-9fe5-e3eb5cf51cca/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a51ddfebbff6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.