MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6c43747a61dbbfcabd23c6595f9237950dafddf54b187c6300ec75340f2d6d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a6c43747a61dbbfcabd23c6595f9237950dafddf54b187c6300ec75340f2d6d9
SHA3-384 hash:	620283c9035450a664cd10cc56075a4a0d8c33a18d32e7cf7ed21abf80c8445cd1bb580ec02e1461e24d89de6bd2a410
SHA1 hash:	3a3a3443b302ccde4c7c925a29155eaa33facaca
MD5 hash:	f22fd5eeb9de89b6aeaa93f14cdbf407
humanhash:	video-black-aspen-blossom
File name:	f22fd5eeb9de89b6aeaa93f14cdbf407.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	394'240 bytes
First seen:	2021-06-17 20:51:15 UTC
Last seen:	2021-06-17 21:34:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5bc76f4349f7f0afe0c88e229f50d37f (6 x RedLineStealer, 1 x Smoke Loader, 1 x CryptBot)
ssdeep	6144:LaN4T3mvEGfK/mHN5uLjQWXP/6zP9FtxgqncBITgLiajhtE1:g4DmvEGi/mAjQWf/6zZxFkPLFV
Threatray	766 similar samples on MalwareBazaar
TLSH	CB84BF10FA90C034F4F612F89AB693B8A52D7AB05B2491CF62D51AEE57386E0FD31357
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
49.12.74.247:8765

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
49.12.74.247:8765	https://threatfox.abuse.ch/ioc/131112/

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f22fd5eeb9de89b6aeaa93f14cdbf407.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-17 20:57:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b1b6ff15-dd18-4487-ae07-fcdfd1f44600

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/166660/

Detection(s):

SecuriteInfo.com.Troj.Kryptik-TR.19341.12274.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b8a5bbe7-fb84-43eb-9bda-cce520a4796c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/803961

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a6c43747a61dbbfcabd23c6595f9237950dafddf54b187c6300ec75340f2d6d9/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-06-17 20:52:11 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u3cdor5gdw57zk6shrszl6jdpfinv7o7ksyyprrqb3dvgqhs23mq._file

Verdict:

malicious

RedLineStealer

0d5c3f624b4b07fbf3720815913d7c4aaa5bae13b004cb28b8cadad519ce726d

RedLineStealer

229ab0c891537400cee69adc5f24094ba38bc8ac4c7f65f17a03580da6eb3644

RedLineStealer

45cfc2ce1e033a00c42202e16a7ba83229688d49d7776e175488c56aade45558

RedLineStealer

b483a5bd1ef599565cde70fe70d54e997fb88140d88a10ca72c32a7a4d32489c

RedLineStealer

b4927c58d2b3857f64044f8408d590ac912dd934771ee5f5338733db900727e2

RedLineStealer

cb0c503528ca44a738eb92de10911cc0d0c632aedd5f7738b03569c7083fa54c

RedLineStealer

e946f6647c8177fa90a250d67e636bacc784dda365993eb093d1ecb40275e0b7

RedLineStealer

ec54f91b74fd7baa5c9167520c4a3a4689bd7a75db353af20c86f63394a053dc

RedLineStealer

ed10575d466f50c9ad8b7e59c614c6e6e57206820646ec7eab24e512f588ee73

RedLineStealer

+ 756 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210617-dskvtt22ze/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Unpacked files

SH256 hash:

8f0a036f4f2889d39ea84cf51bbb6746d33dcde06aa4bec8aa8fe5555ba7c37f

MD5 hash:

afafd5e48be3bb1e322dcdd85bea18b3

SHA1 hash:

fdcde764a23a4346114f90bf930da3aa1f500e37

Link:

https://www.unpac.me/results/2bd6cfb5-ea94-47e5-9c26-da5e88b2f674/

SH256 hash:

f373b1bf2a2c657117304839f7cc6b6ac2f3fc65884500a03a5464ecd06acfbc

MD5 hash:

ea332580258a5aeec9ea467cb94aa1ae

SHA1 hash:

f398809f5a866397cee9d293b900b6836645ae1e

Link:

https://www.unpac.me/results/2bd6cfb5-ea94-47e5-9c26-da5e88b2f674/

SH256 hash:

4a9df169a429315c53c793a05293a599fc8c9ab2c5fa669c2b1e9b7c7f1c69be

MD5 hash:

9f5ab07db6eb9a72411cf900cdfd0b20

SHA1 hash:

8b0fc5f488cc8c665e66489b5cafe92643495511

Link:

https://www.unpac.me/results/2bd6cfb5-ea94-47e5-9c26-da5e88b2f674/

SH256 hash:

a6c43747a61dbbfcabd23c6595f9237950dafddf54b187c6300ec75340f2d6d9

MD5 hash:

f22fd5eeb9de89b6aeaa93f14cdbf407

SHA1 hash:

3a3a3443b302ccde4c7c925a29155eaa33facaca

Link:

https://www.unpac.me/results/2bd6cfb5-ea94-47e5-9c26-da5e88b2f674/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a6c43747a61dbbfcabd23c6595f9237950dafddf54b187c6300ec75340f2d6d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.