MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7c6c045484ecb51eb4039987813c8979458b2cde450ab856fbcabc135b30d7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	c7c6c045484ecb51eb4039987813c8979458b2cde450ab856fbcabc135b30d7e
SHA3-384 hash:	137d719d97c4465fcff37798218b158c97eb3caa840c47de4fe50052820dffec9b2650146ca1c458e73e1d105a28a14a
SHA1 hash:	943f4d7d25e936aeb5d7eac3e614553fa51d0751
MD5 hash:	1e62546034dda075ccac4731a2282b0b
humanhash:	blue-emma-cold-four
File name:	1e62546034dda075ccac4731a2282b0b
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	433'664 bytes
First seen:	2021-06-24 12:31:42 UTC
Last seen:	2021-06-24 13:54:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	87903d189e9bdffe189d97a93bbbb434 (2 x RedLineStealer, 1 x Glupteba, 1 x DarkVNC)
ssdeep	12288:ilWU+veyv1CNSoFgCs9qRC8nUyuzUGCe:iZ+veyvySX9qAdyuAe
Threatray	2'939 similar samples on MalwareBazaar
TLSH	BA94AE10E6A0C035F1F756F49A7AA3BDA52E79A15B2050CF12E4E6EE16343E1EC31727
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1e62546034dda075ccac4731a2282b0b

Verdict:

Malicious activity

Analysis date:

2021-06-24 12:35:38 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/eb758c01-27f5-4497-9e13-65bc9d6d7c26

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/168024/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader39.65155.21198.25790.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/042f8435-c0e2-4613-b6bc-bde146a5c167

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/807460

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7c6c045484ecb51eb4039987813c8979458b2cde450ab856fbcabc135b30d7e/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-06-24 00:30:09 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y7dmarkij3fvd22ahgmhqe6is6kfrmwn4rikxblpxsv4cnntbv7a._file

Verdict:

malicious

RedLineStealer

34c3d185dc61472fccfc4b49d646ccca9d057596dc8947e62773ca63205ef67b

RedLineStealer

393aac4cba99e10526596a762318a76c8380e1283ccf01aad2b10f5e5b0cbb90

RedLineStealer

397ed238fbdca9e09a2429f2249c62606a1431f1d99995dcd709b13428318bfe

RedLineStealer

3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6bb851ae135d222a88a1

RedLineStealer

4955fdfd3badd730cd26c71a8804d57a38310b8cd1981397c00db1ea24e14507

RedLineStealer

4ba1f3203a445260b701e2508721583d02fbb926a3a34474bb7bf631b82cb028

RedLineStealer

4cf4fe7855632a62537bf2acaa36cc8341cc9166370f12afab068b32d17a1c33

RedLineStealer

70dc7440d18c157ae5d3728dae25de4e96ecae566c2840afa611c1ab8e4225a9

RedLineStealer

af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6

RedLineStealer

+ 2'929 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:hcwikyy0pfw4gqll infostealer

Link:

https://tria.ge/reports/210624-vjg62qzbsx/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

BS0DQyMaPBQ6IHwBKSYiBTg4F0UFLQNDICQWUQ==

Unpacked files

SH256 hash:

1df880c541d98ff3b60e13aeb65b0585c83022bee114dd908ac3f1103da5d1fc

MD5 hash:

fec45751f7edac0735e3a94ecbe88c82

SHA1 hash:

efcee845ae6320b9cafb578f6e2dab285d567354

Link:

https://www.unpac.me/results/fcbbf7c0-39e5-408f-bc21-9b675af4c3f7/

SH256 hash:

a21d2e19561ac20760ee3280dd9e8cd2a9b7db4fa062f2d5b0012613cc47fc0a

MD5 hash:

a91003c1b7a8b76818353d708ea10ed9

SHA1 hash:

5bd2c780a46edf6a92569b932d12f443fcc262d4

Link:

https://www.unpac.me/results/fcbbf7c0-39e5-408f-bc21-9b675af4c3f7/

SH256 hash:

c84f12cb6a9169936f781b063e0f1fa90b0fa218b508694fb48f2b7a6366be58

MD5 hash:

88277fde71f7a1eaa6430ecc00bcbee4

SHA1 hash:

3cabdda532f804195f86650d89eabf78f744eafd

Link:

https://www.unpac.me/results/fcbbf7c0-39e5-408f-bc21-9b675af4c3f7/

SH256 hash:

c7c6c045484ecb51eb4039987813c8979458b2cde450ab856fbcabc135b30d7e

MD5 hash:

1e62546034dda075ccac4731a2282b0b

SHA1 hash:

943f4d7d25e936aeb5d7eac3e614553fa51d0751

Link:

https://www.unpac.me/results/fcbbf7c0-39e5-408f-bc21-9b675af4c3f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c7c6c045484ecb51eb4039987813c8979458b2cde450ab856fbcabc135b30d7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.