MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b55704fa2fb3db346332e5cfa37a04628a2ac747184e4104c929704eb4b5b2b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments 1

SHA256 hash:	b55704fa2fb3db346332e5cfa37a04628a2ac747184e4104c929704eb4b5b2b4
SHA3-384 hash:	d31919989e661f7552173edbc9319fdfcd6b38a6d9478ada3289699d2bc1870f9b9bce6423f026882c2dbe45fa776c0e
SHA1 hash:	5ac60e9c30d6e975adb5fc1445d4f7d279612e3c
MD5 hash:	35878c80b3957a04c99270e45d66f3cc
humanhash:	kansas-shade-diet-tango
File name:	35878c80b3957a04c99270e45d66f3cc
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	252'928 bytes
First seen:	2021-08-19 19:01:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d14e6f286b56e073587d660c9cc6ef7f (7 x RedLineStealer, 3 x Amadey, 1 x 1xxbot)
ssdeep	3072:w+pHi9bPhpasaKBMjUAzgCEkk9dADb/rXKFmgploIDbLhYLCfZzENRjt7/v8KT0X:lJiJPhpahKyNZeq/rXKF97xiqAl/7
Threatray	4'642 similar samples on MalwareBazaar
TLSH	T1BA34F1117580F1B2C46B007548E2FBE1E6BA7D226B7552473F982F6F5F303924A2B366
dhash icon	1072c092b0381802 (7 x RedLineStealer, 2 x Smoke Loader, 1 x ArkeiStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b6b054b0a63ed8e89b4a55c1679b8743

Verdict:

Malicious activity

Analysis date:

2021-08-19 18:59:19 UTC

Tags:

evasion opendir loader

Link:

https://app.any.run/tasks/42dc54e6-9998-4406-bb00-7da7744f54db

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/180776/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.21805.UNOFFICIAL

Win.Packed.Generic-9886938-0

Win.Packed.Generic-9887018-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/207fe07a-80eb-452c-8503-728b0246db23

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/836004

Signature

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Potential time zone aware malware

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b55704fa2fb3db346332e5cfa37a04628a2ac747184e4104c929704eb4b5b2b4/

Threat name:

Win32.Ransomware.WannaCry

Status:

Malicious

First seen:

2021-08-19 06:22:00 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wvlqj6rpwpntiyzs4xh2g6qemkfcvr2hdbhecbgjffye5nfvwk2a._file

Verdict:

malicious

RedLineStealer

5a08fbf3635e557182b59aba6d21a974aa712ea0e90b023cbf76519ea52959aa

RedLineStealer

5cce9b6a71a53d6d8f9cb245ee9153618ed3c41b6cf3a9319e6d484c9110fc64

RedLineStealer

637a0494e576015bdbc53a9a3d5efd6ed2cac129facef169a06ed4f2d07188d2

RedLineStealer

ca68be73a03f7463fa58538b9ce46d0c94fc15204bddc7fe0a6a5c70fdb8f1b1

RedLineStealer

cd62e4fee322712a02787bcc881712ee41b99f8e8de3e425d90399bf5bf5fe75

RedLineStealer

e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25

RedLineStealer

+ 4'632 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:19.08 infostealer

Link:

https://tria.ge/reports/210819-5sh1ylh66a/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

61b14a9f3282f338e76d96b410dd81d875958c8fc8878d2f0e2867691cc9c2a9

MD5 hash:

150b80e8b5ff2aa19a7eee2ca26904c6

SHA1 hash:

e19746318aaa5a17bb7528ae6d4872d096e8e837

Link:

https://www.unpac.me/results/cf6c87f4-7ada-48b2-9a32-d83cdfb7323a/

SH256 hash:

4ed6265ce7bd708af634235427e873649856a921ac32dfe79ca267e9f141dc20

MD5 hash:

94a3eab1e7bb61a0ff1f7f3e2480d049

SHA1 hash:

bddc76ec1b9379a2589c04084e60e5cbe0d7f89e

Link:

https://www.unpac.me/results/cf6c87f4-7ada-48b2-9a32-d83cdfb7323a/

SH256 hash:

aca38fca0e7f6ef8ffeb85e08b53a16e25283e9a811394f409bdd265a4c2a6e1

MD5 hash:

f35840b6de257760de94713df76ad25a

SHA1 hash:

9d268907749cd43ec3af81402ad222923d719f69

Link:

https://www.unpac.me/results/cf6c87f4-7ada-48b2-9a32-d83cdfb7323a/

SH256 hash:

b55704fa2fb3db346332e5cfa37a04628a2ac747184e4104c929704eb4b5b2b4

MD5 hash:

35878c80b3957a04c99270e45d66f3cc

SHA1 hash:

5ac60e9c30d6e975adb5fc1445d4f7d279612e3c

Link:

https://www.unpac.me/results/cf6c87f4-7ada-48b2-9a32-d83cdfb7323a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b55704fa2fb3db346332e5cfa37a04628a2ac747184e4104c929704eb4b5b2b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.