MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd06bc6e04202a337a16121096b67af4e0f6b3f0a068883ebc647f19eeb6aeb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 17 File information Comments

SHA256 hash:	bd06bc6e04202a337a16121096b67af4e0f6b3f0a068883ebc647f19eeb6aeb7
SHA3-384 hash:	bdcf19f1b0eef5594392c810829c812ea0e9afe7ddb8ae3f826519aab81199a7a05c5a1dfe8096d4b86e1c33f68b1f2e
SHA1 hash:	952dcdf4fb36b70279f890fbe4e7ce4c8b1bf9e5
MD5 hash:	a33a59a8cd3b8f799eb195806c551a32
humanhash:	glucose-saturn-comet-zulu
File name:	a33a59a8cd3b8f799eb195806c551a32.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	16'194'280 bytes
First seen:	2021-06-08 07:09:28 UTC
Last seen:	2021-06-08 08:11:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	98304:C6IcR2MHPEm6ty5m+5Q2qmxfFPKvD8AgWOsfIQzkNfej:C65VP1uJ+DpxfYwWOuzkxej
Threatray	470 similar samples on MalwareBazaar
TLSH	14F623337EA0EE14E740477654AA22C42F18EBB3C794F2B5B38C75A52B319238DD6563
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
162.55.55.250:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
162.55.55.250:80	https://threatfox.abuse.ch/ioc/67974/

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a33a59a8cd3b8f799eb195806c551a32.exe

Verdict:

Malicious activity

Analysis date:

2021-06-08 07:43:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/754b14b4-9cef-4a1f-8842-d8226984b000

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.30537.2025.32299.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/798583

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd06bc6e04202a337a16121096b67af4e0f6b3f0a068883ebc647f19eeb6aeb7/

Threat name:

ByteCode-MSIL.Infostealer.Reline

Status:

Malicious

First seen:

2021-06-04 06:50:19 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xudly3qeeavdg6qwciijnnt26tqpnm7qubuiqpv4mr7rt3vwv23q._file

Verdict:

unknown

RedLineStealer

3f9b5ecaed880f50c6bee7504768aa9f362326666ff2197cc487f0707bff56fa

RedLineStealer

4b9802e46fc0efd83d5e603b47743543987c12d543b4a75b67d6b873e889eb34

RedLineStealer

55342589e3d128aa53314e613bab6608de3c0f69ed1dae8b5acf5ba694c54c7c

RedLineStealer

61777c1c43dab94734f932d974a605d2c3ec4e24e7d591927c726b4df77c232f

RedLineStealer

6e0f67620da1ee82c0cfc0c166f2a027fdd8af9c8f4622952b19bed41de60b7b

RedLineStealer

8506352e60dea0ee05bff79a9408f910850735939399bdf040c40ffdead19d61

RedLineStealer

ae82fbab9d30ba8a6f7c542855fdd7f51a7ed3f777fc3fd1c2b1c20f22f776ac

RedLineStealer

bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb

RedLineStealer

e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37

RedLineStealer

+ 460 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline

Link:

https://tria.ge/reports/210608-qegyx544aa/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

bd06bc6e04202a337a16121096b67af4e0f6b3f0a068883ebc647f19eeb6aeb7

MD5 hash:

a33a59a8cd3b8f799eb195806c551a32

SHA1 hash:

952dcdf4fb36b70279f890fbe4e7ce4c8b1bf9e5

Link:

https://www.unpac.me/results/367f8318-9365-47b0-9fe7-dbccb0ef64b1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd06bc6e04202a337a16121096b67af4e0f6b3f0a068883ebc647f19eeb6aeb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	ClamAV_Emotet_String_Aggregate Create hunting rule

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	Cryptocoin_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	dridex_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	silentbuilder_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample