MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c406c0b632f53da9dda00cb1114c086c099ac059b37a64d6cad6b64e7e096300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	c406c0b632f53da9dda00cb1114c086c099ac059b37a64d6cad6b64e7e096300
SHA3-384 hash:	ee0d7c42cfeb6b1b8eb3123e4aeed37194888392bf3cb780ef2dfa87067d574b7fdd4d73ad5c8c608959864f9651e01c
SHA1 hash:	9dbe2c4559e0b6907897c3fb773c02b8fe4bf57e
MD5 hash:	91352fa35eaeb5a4e2f79561352505b5
humanhash:	uniform-wolfram-kilo-virginia
File name:	91352fa35eaeb5a4e2f79561352505b5.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	283'648 bytes
First seen:	2021-10-12 10:15:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	613eed189326e5150348769c0b41fcc9 (3 x RedLineStealer, 3 x Smoke Loader)
ssdeep	6144:E3yy46DKB4tHKhVF2zTI+IkTm3r7Vx98aCd+vIyE:ry40K772Pnnm1H8t+
Threatray	8'459 similar samples on MalwareBazaar
TLSH	T17154F11035B1C4F6F6A716744965CFD25AFF78221A71A2CF6BEC3B2D4E60280963631B
File icon (PE):
dhash icon	81bcdcac9cccb48c (4 x RaccoonStealer, 3 x Smoke Loader, 3 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

91352fa35eaeb5a4e2f79561352505b5.exe

Verdict:

Suspicious activity

Analysis date:

2021-10-12 10:21:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3ce5c533-01a1-4ff6-8383-1336c5983f4b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/196899/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9b33e5f1-5af5-477e-8687-f9eb09f106ee

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/868536

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/c406c0b632f53da9dda00cb1114c086c099ac059b37a64d6cad6b64e7e096300/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-10-12 10:15:14 UTC

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yqdmbnrs6u62txnabsyrctainqezvqczwn5gjvwk223e47qjmmaa._file

Verdict:

malicious

RedLineStealer

319d10acfc388b91ab59503ab0d16ca888abaf05fa8e6ba4b1f7a34a61228b5f

RedLineStealer

5476f26328e5683cea4508e3e1c93faa4561116eb01796d635e6f60b7791347a

RedLineStealer

5cdca6838044c712d83b192f693ae6da288d6cd065f431014f5569cbbe20b589

RedLineStealer

6152b89328948e22cdaa7c340449bb172fbf4e919c05dd3ac84362ea7fec657d

RedLineStealer

8aad139047e6c18b5f9d33145912c1ea20615d5e63433b54805a03e986c85736

RedLineStealer

93cab9c0bb921b19441630eaff516d547c8083dd1e2bd7b8b799ec282af5ef23

RedLineStealer

9fd9a7f1fcd183cb0ae2219de02104e103fd135d25b0ed1b7283ecd3f99f856d

RedLineStealer

d0dda5dfd52eedeb0c31cc69428a488f7af8f66e6c3a736ff88c6ea1c8ebed35

RedLineStealer

d8422e68f6bc3b3564efac25e147168494be5cacfb3d1695945f9935fb1045a4

RedLineStealer

+ 8'449 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:usamoney infostealer

Link:

https://tria.ge/reports/211012-l99d7scaep/

Behaviour

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.142.215.47:27643

Unpacked files

SH256 hash:

94f190ffa964ad08448acc382f9513289fd26c58e888dd15137c5a65236a64e8

MD5 hash:

1f9661656c38437fe2718c67c2eb027e

SHA1 hash:

4cd0011e396e303eb2471b9c6dc45c141402490d

Link:

https://www.unpac.me/results/08d9b771-6990-46bd-a174-c951213b349e/

SH256 hash:

b7a5d5529feac62517bc4a4ad2ed9fe11bc41f86278e1250cc39dc3e99cf9e1f

MD5 hash:

02cdfa8b1ac0e4765e3c3c21841e5741

SHA1 hash:

258018087d44e3211d55ebf454b693591831d67c

Link:

https://www.unpac.me/results/08d9b771-6990-46bd-a174-c951213b349e/

SH256 hash:

e29f200555fedd39221dbde02ff2e276bf36f878c53530ee14da4a7f5c5d9b45

MD5 hash:

2f208b6fec7ac8eeffa63078a9a7af97

SHA1 hash:

064d100d7ddb6206a8bffdd893bfdfbd45e0af2b

Link:

https://www.unpac.me/results/08d9b771-6990-46bd-a174-c951213b349e/

SH256 hash:

c406c0b632f53da9dda00cb1114c086c099ac059b37a64d6cad6b64e7e096300

MD5 hash:

91352fa35eaeb5a4e2f79561352505b5

SHA1 hash:

9dbe2c4559e0b6907897c3fb773c02b8fe4bf57e

Link:

https://www.unpac.me/results/08d9b771-6990-46bd-a174-c951213b349e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c406c0b632f5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c406c0b632f53da9dda00cb1114c086c099ac059b37a64d6cad6b64e7e096300

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.