MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bec5357c8a455639460f76de7bac4220c225a1770cfb5448de3c8885a22a8ba4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	bec5357c8a455639460f76de7bac4220c225a1770cfb5448de3c8885a22a8ba4
SHA3-384 hash:	407062cba523ed78694010ec15ca5fd86f2788066d099523b31e10d22a31860cb722056094061ea548d7f0fff3e95cb7
SHA1 hash:	7c8be850860900b6cb7cf1513ffa06b41bc86831
MD5 hash:	e587abc077331ea2a85413378c4dcb4d
humanhash:	montana-glucose-ten-fix
File name:	e587abc077331ea2a85413378c4dcb4d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	397'312 bytes
First seen:	2021-02-02 08:54:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e0f78ec20353f62d287931ae5f1c3dc4 (1 x ArkeiStealer, 1 x RedLineStealer)
ssdeep	6144:72UHZngEZAwWXcKFS/ELhonBBlrK/qzQ51KASAcEljDU6KeSsaffal0RspIe:72clpZAwWtS/2hoHNM51KAtYGskG
Threatray	1'110 similar samples on MalwareBazaar
TLSH	6984AE00B7A0C034F5B722F489B59278A6F97EA1672950CF52E52EEA5F746E1EC30317
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e587abc077331ea2a85413378c4dcb4d.exe

Verdict:

Malicious activity

Analysis date:

2021-02-02 09:15:46 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/400b4c57-3456-4fd5-8cca-39c932931679

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/115097/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Connection attempt to an infection source

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/596331

Signature

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/bec5357c8a455639460f76de7bac4220c225a1770cfb5448de3c8885a22a8ba4/

Threat name:

Win32.Trojan.Jaik

Status:

Malicious

First seen:

2021-02-02 01:42:24 UTC

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

35b387e25dfb13a3b425438ab49168fd72d4c9c264d6a121a43f1e7387cdadae

RedLineStealer

457aecc9187cb32bf4a2678fdf61450f013a48460d454e986bae391b03b3cb10

RedLineStealer

53694d09899c9de1600743b37ab45e9dc4e3eaf329dc410e87a3b7318d943012

RedLineStealer

566b744e0e0b789f5ba0502144328af1df9483cfbd80a0efc7437aec176c3ac6

RedLineStealer

5e05d90bcdb3ed152fbc447a2f30538affdb2e3c3f60fe4a548837123a423f45

RedLineStealer

7129a252cd03ac8beaf05e47856244422d251d9c1e373992abaafe8199b4fff9

RedLineStealer

8f479fb175685aa848118801d06cdf077c087265494d2c931b50ab2074ba7183

RedLineStealer

94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb

RedLineStealer

9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65

RedLineStealer

+ 1'100 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210202-jarbyjmk3x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

78012d833e6b9656502594bd3c8e95e8376444d75cef3a2159ed248e47b8b9ab

MD5 hash:

c1e8d45f9cceb98ea89a2cf6fc9eb4c7

SHA1 hash:

8d0224eafd878c507e03449a32b11ad377ea0a47

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/bdad0655-2053-4623-b6a2-8eda8c13e9dc/

SH256 hash:

1b66de9b97c623e6fe27ba326321e141ddcef2aad74ad8af6464a1dbaea727c2

MD5 hash:

b58fad96087d39fba1fddc22c9b4e864

SHA1 hash:

7a938727d69ce6282695285f2d44a52cb35affdb

Link:

https://www.unpac.me/results/bdad0655-2053-4623-b6a2-8eda8c13e9dc/

SH256 hash:

7add8961a52bb43f3339bed155c003abd7b19d04736320b077e8787e81006e22

MD5 hash:

40425a5e56cb92d7a068e611657ea531

SHA1 hash:

068d277823547f495f8475f044881624ae2706fe

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/bdad0655-2053-4623-b6a2-8eda8c13e9dc/

SH256 hash:

bec5357c8a455639460f76de7bac4220c225a1770cfb5448de3c8885a22a8ba4

MD5 hash:

e587abc077331ea2a85413378c4dcb4d

SHA1 hash:

7c8be850860900b6cb7cf1513ffa06b41bc86831

Link:

https://www.unpac.me/results/bdad0655-2053-4623-b6a2-8eda8c13e9dc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Azorult

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bec5357c8a455639460f76de7bac4220c225a1770cfb5448de3c8885a22a8ba4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.