MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca
SHA3-384 hash: 3f0398916cb944fb0e845b7cd463188e1bf53ba8c2eaa26f2a87283de8628ba2edef8c4c3acea8197e541bec20dafe6f
SHA1 hash: 814608b09e45a8bf29d5089c8b8d761d69688ba7
MD5 hash: 7b6803a529170e0f0f46655b888c5ef9
humanhash: lactose-speaker-uncle-mountain
File name:7b6803a529170e0f0f46655b888c5ef9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:303'616 bytes
First seen:2021-01-16 07:25:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (221 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:rE5WaXIQP5xCe5I3xDgureVQJn3H/XPnkBvaYlYJAJiRYDEVtTZ:rEQnQP5xdixD5re+Jn3H/X/ivzlYYcyS
Threatray 975 similar samples on MalwareBazaar
TLSH EE5412430A1A4A82EEB4583C773BB7835D1897D95F8CED36BE91818BD970F7640B701A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://93.115.18.245:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7b6803a529170e0f0f46655b888c5ef9.exe
Verdict:
Malicious activity
Analysis date:
2021-01-16 07:26:07 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/89c052d5-6024-4083-9e96-9b19ac0d4f2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112281/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/583016
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-01-16 00:06:27 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wupymbo6r4xshh33vipikfchk73ayuigtb5wzr7azxjcrcjbehfa._file
Verdict:
malicious
Similar samples:
00cd67353aee6b0f0f633e33626221e8b9e69f6037b49c8cf95188801b13aee2
RedLineStealer
0a39176f2d4a88456a7e5b903848374b621b29e8e5edf4620d24ed00d68ed01e
RedLineStealer
0f770a543aa0bb60756427f61749835f17e1e6413672aa6af0b7b2c32bce49b9
RedLineStealer
13e47f17dd6d83e44f9dedb7170f9f3aaedc3497a8ac97025962787f3f922155
RedLineStealer
1e6346b222a1d2a5cb29338f8a7e300724f7d90a87c73259f44de95c1573970c
RedLineStealer
1f97ed53cdcf5edc9f0a16379ed5dfc57d49235d7d1539bb97543ebd5a83e5b9
RedLineStealer
31239f4455170cbb223b36936011b6573c3a5a86ee32b55f0bba48d95f3c7f6d
RedLineStealer
53694d09899c9de1600743b37ab45e9dc4e3eaf329dc410e87a3b7318d943012
RedLineStealer
c69abca6861cab059b6ae9f8745b25359ab757af64c6388efd386d04f87bafda
RedLineStealer
db2d641b1a96b0b1dbaa96ea47d36d8cfe14aea247eac1283fd3bebbf81fbb3b
RedLineStealer
+ 965 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware upx
Link:
https://tria.ge/reports/210116-xqw9y1j7ce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
e35e4d65c4f0cdaa0427355ec40daedaeca384cf89b91a20e269a974b77cb113
MD5 hash:
cb1467b0d2e76daff4fefcb93b9593ee
SHA1 hash:
bf32420422abb038396f2bd3622994c32e86c63a
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/e194aafe-599d-44dc-a59a-4c2c3ccec116/
Parent samples :
76b344ae7012a001747a0db9d0a72aa17d4af6b732263ec7674550b778916a88
b2150830c4f7af2133d1ce2c9279ae3021b49b610011ef546662ff18a7a15770
d4a4064f832fb856101831e663b4aaf0e0c6b19550c0f002830849cd9f1151b7
bc9ef9e6bb5655055b0078d9985d1556b3c88ed8d180446e3dae8cfc9614b423
3e0c5df082e1d3349a0578479117c25ede69746306031eb0005bd9526706952d
2e05757cd1dc1c3061132a64042776e87e22104fb625c5dd8f449c9a0a1d94a0
c28b4becc94a0cf4182fd2ae9ef906d92769a0dbc8b0e9bd37605490deaa40b0
39082e2e7b0a973be062cede767afe3861d570962c23d589d03dde43553b8900
0f770a543aa0bb60756427f61749835f17e1e6413672aa6af0b7b2c32bce49b9
0a39176f2d4a88456a7e5b903848374b621b29e8e5edf4620d24ed00d68ed01e
00cd67353aee6b0f0f633e33626221e8b9e69f6037b49c8cf95188801b13aee2
c69abca6861cab059b6ae9f8745b25359ab757af64c6388efd386d04f87bafda
1f97ed53cdcf5edc9f0a16379ed5dfc57d49235d7d1539bb97543ebd5a83e5b9
1e6346b222a1d2a5cb29338f8a7e300724f7d90a87c73259f44de95c1573970c
13e47f17dd6d83e44f9dedb7170f9f3aaedc3497a8ac97025962787f3f922155
038616b5db5a3c68ccfb202a79c7b48ffc9a65eba5d5c4886a0c56fa3ef637ed
2c01c4443eb37f42dea586897788eafbef78bcd1279f17c729584075e32ed5ff
898c957d6bc0417994827db79ca2c264ee100f0ccf54cafdbf18b4e9c9559c0b
db2d641b1a96b0b1dbaa96ea47d36d8cfe14aea247eac1283fd3bebbf81fbb3b
b62455332629537d0000e5b3fd06b557e12a9a4eb0b3019a3a9c3fec52377269
7eae7a527dfb3906b7248135fe8257a45cc9c3042c7b83a443dab71037afeb61
b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca
47126dae0ad329479b538ce8d1c466712ef5eb53fb206ab2f27ba2b51762756d
64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584
969934d1c582fb1c9265a30d3e3b6d666da2263b51b35a83f94fffedcc1efd1f
6380b6aacedc8b0dd90421a7cd2d933d8e5f546497699fd03dd4ce3983d57248
7d2193feb3fb2e72cea88023a60aae9defeae560358eddcba59d97bd8234bec9
cfbb03f5736821b65dd01bdb4187911a278faa8c07fd29e402a24ea58c414259
0bcdbd7631575e1764678e07bc71bd824c92c04a783c533891ebf5492f6ce409
fa123f422564ed8b12034d2fdecbafb53d8df264aa6d0fbfadaddd89c9e5ac5d
157d9bb89cc0d6dd6e2b3d741ecab24f9a87cf0960c13af9627c6a3a7f9752da
bd31dbd3d40287335fb70ce562f94de9f57c453bc590ff72154ed3242b2d7562
521bbb71dd98cad2946f25016fe0eb27ce076423b09819abc5dd09d24939a769
188959d64ed903223e021b3dde8ca0db7e6051d616f706d3c623bae526bee09e
0e8375f9c64761af219e6001c52889f3fbc65ab818d76deda8f04b549cb076ec
5550b1e0d878ef2c7296596d9a7a44d380b48c77121d8cf4f04289ac7ab9a1e6
93ce38eba1ad110f1c5ba6bb7ab636828673fa9525e010a930e52ac424309c06
SH256 hash:
2910d83f8774b0fd7b60b39c1f52acdd1b0b62ff616d67deb3f53ddd3d1d4493
MD5 hash:
60f472eb3cd3cd5fe8e28d816d9c369a
SHA1 hash:
acec1fb360a5fd3498861c74b7472b4bb174b355
Link:
https://www.unpac.me/results/e194aafe-599d-44dc-a59a-4c2c3ccec116/
SH256 hash:
55945c175d77649816d4bdd62793a48f4ae0275780f720e6c527e9bf13ea2610
MD5 hash:
b67b9829c2540d0bcdfb12152b388a3a
SHA1 hash:
288713acd72c61ae2015c891eb7bf999857267af
Link:
https://www.unpac.me/results/e194aafe-599d-44dc-a59a-4c2c3ccec116/
SH256 hash:
e877e4cc1d7127f1e33bb418f4722026fb56159155bc9c318bead4c875d96f1e
MD5 hash:
ceb517bc9079e3ef468da163ddc13459
SHA1 hash:
84196e0c0cc10ec52d5cc636b7bfed607ceb1af0
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/e194aafe-599d-44dc-a59a-4c2c3ccec116/
Parent samples :
76b344ae7012a001747a0db9d0a72aa17d4af6b732263ec7674550b778916a88
b2150830c4f7af2133d1ce2c9279ae3021b49b610011ef546662ff18a7a15770
d4a4064f832fb856101831e663b4aaf0e0c6b19550c0f002830849cd9f1151b7
bc9ef9e6bb5655055b0078d9985d1556b3c88ed8d180446e3dae8cfc9614b423
3e0c5df082e1d3349a0578479117c25ede69746306031eb0005bd9526706952d
2e05757cd1dc1c3061132a64042776e87e22104fb625c5dd8f449c9a0a1d94a0
c28b4becc94a0cf4182fd2ae9ef906d92769a0dbc8b0e9bd37605490deaa40b0
39082e2e7b0a973be062cede767afe3861d570962c23d589d03dde43553b8900
0f770a543aa0bb60756427f61749835f17e1e6413672aa6af0b7b2c32bce49b9
0a39176f2d4a88456a7e5b903848374b621b29e8e5edf4620d24ed00d68ed01e
00cd67353aee6b0f0f633e33626221e8b9e69f6037b49c8cf95188801b13aee2
c69abca6861cab059b6ae9f8745b25359ab757af64c6388efd386d04f87bafda
1f97ed53cdcf5edc9f0a16379ed5dfc57d49235d7d1539bb97543ebd5a83e5b9
1e6346b222a1d2a5cb29338f8a7e300724f7d90a87c73259f44de95c1573970c
13e47f17dd6d83e44f9dedb7170f9f3aaedc3497a8ac97025962787f3f922155
038616b5db5a3c68ccfb202a79c7b48ffc9a65eba5d5c4886a0c56fa3ef637ed
2c01c4443eb37f42dea586897788eafbef78bcd1279f17c729584075e32ed5ff
898c957d6bc0417994827db79ca2c264ee100f0ccf54cafdbf18b4e9c9559c0b
db2d641b1a96b0b1dbaa96ea47d36d8cfe14aea247eac1283fd3bebbf81fbb3b
b62455332629537d0000e5b3fd06b557e12a9a4eb0b3019a3a9c3fec52377269
7eae7a527dfb3906b7248135fe8257a45cc9c3042c7b83a443dab71037afeb61
b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca
47126dae0ad329479b538ce8d1c466712ef5eb53fb206ab2f27ba2b51762756d
64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584
969934d1c582fb1c9265a30d3e3b6d666da2263b51b35a83f94fffedcc1efd1f
6380b6aacedc8b0dd90421a7cd2d933d8e5f546497699fd03dd4ce3983d57248
7d2193feb3fb2e72cea88023a60aae9defeae560358eddcba59d97bd8234bec9
cfbb03f5736821b65dd01bdb4187911a278faa8c07fd29e402a24ea58c414259
0bcdbd7631575e1764678e07bc71bd824c92c04a783c533891ebf5492f6ce409
fa123f422564ed8b12034d2fdecbafb53d8df264aa6d0fbfadaddd89c9e5ac5d
157d9bb89cc0d6dd6e2b3d741ecab24f9a87cf0960c13af9627c6a3a7f9752da
bd31dbd3d40287335fb70ce562f94de9f57c453bc590ff72154ed3242b2d7562
521bbb71dd98cad2946f25016fe0eb27ce076423b09819abc5dd09d24939a769
188959d64ed903223e021b3dde8ca0db7e6051d616f706d3c623bae526bee09e
0e8375f9c64761af219e6001c52889f3fbc65ab818d76deda8f04b549cb076ec
5550b1e0d878ef2c7296596d9a7a44d380b48c77121d8cf4f04289ac7ab9a1e6
93ce38eba1ad110f1c5ba6bb7ab636828673fa9525e010a930e52ac424309c06
SH256 hash:
b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca
MD5 hash:
7b6803a529170e0f0f46655b888c5ef9
SHA1 hash:
814608b09e45a8bf29d5089c8b8d761d69688ba7
Link:
https://www.unpac.me/results/e194aafe-599d-44dc-a59a-4c2c3ccec116/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b51f8605de8f2f239f7baa1e85144757f60c5106987b6cc7e0cdd228892121ca

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/959579/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112281/

Comments