MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da5f87ea1b0e0f4307378a7f4d7fe7077447be8123d9230d2a706bff4029c5a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	da5f87ea1b0e0f4307378a7f4d7fe7077447be8123d9230d2a706bff4029c5a7
SHA3-384 hash:	ddc5c5d22b0e6a3193bfa41ba881e1c8e56902f8f1c53bffae398894dc61621260b3e1d4644d81f5cb5ebfbbf5457119
SHA1 hash:	4a5c7508ef417df76dbc6d69f3a8d3da951305c9
MD5 hash:	a2d27ac7beaf46c0b35ed660ece256b5
humanhash:	pluto-blossom-table-sierra
File name:	a2d27ac7beaf46c0b35ed660ece256b5.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	316'416 bytes
First seen:	2021-04-02 18:10:39 UTC
Last seen:	2021-04-02 19:09:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0e71c93ad51122945779f4479efb70a9 (1 x RedLineStealer)
ssdeep	6144:oF4W7IKvAUEoXmptaYXAAGO7XTokEGpzP8J6iPpmm9RlriUY9Cph:LW7jEoXSaMhXogdSbri+h
Threatray	533 similar samples on MalwareBazaar
TLSH	CE64F11171C4C873E5620A3444A9CAB1463AFC725F758AC7BBC42B3E5E267D18E3B786
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a2d27ac7beaf46c0b35ed660ece256b5.exe

Verdict:

No threats detected

Analysis date:

2021-04-02 18:47:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8d762b57-0cb6-4c66-bbaf-4165e720e3ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/131839/

Detection(s):

SecuriteInfo.com.Trojan.Siggen13.493.24524.24460.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5eae75e9-2870-4f5b-81a5-f97730fb5cc3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/664101

Signature

Antivirus detection for URL or domain

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da5f87ea1b0e0f4307378a7f4d7fe7077447be8123d9230d2a706bff4029c5a7/

Threat name:

Win32.Backdoor.Tofsee

Status:

Malicious

First seen:

2021-04-02 18:11:18 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3jpyp2q3byhugbzxrj7u277ha52eppubepmsgdjkobv76qbjywtq._file

Verdict:

malicious

RedLineStealer

168eada700bc85528f3405b7f4c72c9d565cc28d90e40b05d429c59a2625dd8c

RedLineStealer

547a657aafef619da86801e51e88c7330962984b479eb662f4b323c7ba1911c6

RedLineStealer

5b39d7d6eae45df2f9e263a36b30a1ca32c4c5d80a923c0a2380098fb33d978f

RedLineStealer

83f9b6d6a511c4cae8cb49a92fd18a6333067c50bc1ace0c00324c4af27887e0

RedLineStealer

c252253deb8ce68d6c44f555d2ce707f7581dc7267f5d6a892a626469691ef9f

RedLineStealer

c490ae5b2f9c6a0f3b030c837c57c8c2068f320a2c64e1abfdaa94cbb8ba3333

RedLineStealer

c8e651bcfb9e5b6085fe4058ebba2b015c71a04aee4d5158102c6554d346b9d9

RedLineStealer

d1413e28da1395166d0b510e83b9da3e510aa6ccaeb47f12681d94b0cd24e699

RedLineStealer

e2a3a134421c597d262a080f13c3bed0d7c8c605d8c6472bc8fc490e742ce44d

RedLineStealer

+ 523 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:3424565 infostealer

Link:

https://tria.ge/reports/210402-hzbp74c6rj/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

lordliness.store:40355
razorless-shaving.store:40355
fugicarfc8.store:40355

Unpacked files

SH256 hash:

1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9

MD5 hash:

78a535422e2f6ee38d23303739633df4

SHA1 hash:

a79eb74129aaa63ca4175bad850510667e876255

Link:

https://www.unpac.me/results/04356c13-7afa-4841-a0f2-cb5b242a8546/

SH256 hash:

bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630

MD5 hash:

71705e85f8748ca46e31537e62e19037

SHA1 hash:

4f2b3ee4cf0809016c4a9f6958ec752067d838cd

Link:

https://www.unpac.me/results/04356c13-7afa-4841-a0f2-cb5b242a8546/

SH256 hash:

aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848

MD5 hash:

c61ed3bf3203c28408a6b58a338b0b07

SHA1 hash:

1eafb1e9511440ba36ba0f05d3fe0f076805fd75

Link:

https://www.unpac.me/results/04356c13-7afa-4841-a0f2-cb5b242a8546/

SH256 hash:

da5f87ea1b0e0f4307378a7f4d7fe7077447be8123d9230d2a706bff4029c5a7

MD5 hash:

a2d27ac7beaf46c0b35ed660ece256b5

SHA1 hash:

4a5c7508ef417df76dbc6d69f3a8d3da951305c9

Link:

https://www.unpac.me/results/04356c13-7afa-4841-a0f2-cb5b242a8546/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/da5f87ea1b0e0f4307378a7f4d7fe7077447be8123d9230d2a706bff4029c5a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.