MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddc087ef9f65b9db5875f5836b47b82cfe0af2d53cb43563033e27e7c3771f3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments 1

SHA256 hash:	ddc087ef9f65b9db5875f5836b47b82cfe0af2d53cb43563033e27e7c3771f3a
SHA3-384 hash:	8b9228bc6c4cd90422260256895ba8f55067abbb3ad3f37d4775066429211b3d54dd95f648fbb94e8a922e0503907b1d
SHA1 hash:	ff9aee4beed0c7639240eef49b959970b63c8e58
MD5 hash:	540e7f8bcd6c5c0b54b37b9de1b65406
humanhash:	victor-twenty-august-juliet
File name:	540e7f8bcd6c5c0b54b37b9de1b65406
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	390'144 bytes
First seen:	2022-03-28 21:27:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c5abd0d249bf5319619ab44b6b97960d (5 x RedLineStealer, 2 x Stop, 1 x N-W0rm)
ssdeep	6144:mDH8DXVOpTSSvYD4eXNVbabPCK/+3/qtn/Cd4JVJ9KJvAK:mDH+EpTSSve46dar3K2d9uvV
Threatray	3'470 similar samples on MalwareBazaar
TLSH	T1EC84C010BBA0C034E5B726F45DB993A8793E7DB19B2491CB32D42AEE56306E5EC30717
File icon (PE):
dhash icon	b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/258787/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.19452.22611.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11839/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/624228659253b276b7941122/reports/50f3c76c-7780-472d-8015-28d139cda415/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/706b4ab2-c7e6-4ad1-8b1b-f37f7c1e7cc2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/966224

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddc087ef9f65b9db5875f5836b47b82cfe0af2d53cb43563033e27e7c3771f3a/

Threat name:

Win32.Trojan.DllCheck

Status:

Malicious

First seen:

2022-03-28 21:28:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xaip347mw45wwdv6wbwwr5yft7av4wvhs2dkyydhyt6pq3xd45a._file

Verdict:

malicious

RedLineStealer

3f41c1f89cee913fea8e68e963abaf222e4761d2f9a89e434cde4a28fd9a7e4d

RedLineStealer

8933afd919d120bf9b572f07110aca6c46e26d098770202ceab73160c21f8204

RedLineStealer

a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5

RedLineStealer

b48372b694840f2e042a0ed009bf134c33a7bab3e5041a61dd9119e676169be4

RedLineStealer

e53cd7ea200e2a80b7431f6e72ab2f588d009e430f3d9d18c31bd4f49276b5be

RedLineStealer

+ 3'460 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzkiunikalno infostealer

Link:

https://tria.ge/reports/220328-1ba63sbebn/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.233.48.58:38989

Unpacked files

SH256 hash:

6e328c2d15af0213e46d1961a29a014f491f41c552a62280fa22a0e16ed2da3b

MD5 hash:

55e770b27a23a546bb4d9744a21b3d7b

SHA1 hash:

b37f6451697f0ef4d166a836c1701dcaca0eee5e

Link:

https://www.unpac.me/results/0506bb6f-6a91-4cf4-981b-85c108d9eea4/

SH256 hash:

b2299c0ccf9c6aef88967bc412b831c68e6ff989c476b46b7d2cc695bdce8f08

MD5 hash:

f32ce0c6a801a0b441f304162b18e29b

SHA1 hash:

ad76568654696007a59300d023e39504c8e16835

Link:

https://www.unpac.me/results/0506bb6f-6a91-4cf4-981b-85c108d9eea4/

SH256 hash:

f62fb79c4abb5572e87c2947eb9bdc4a1126244af2f438a7f1bfa0756e136bf6

MD5 hash:

943f660d25d8246f4220f44eb0090266

SHA1 hash:

26757bceb79aef53bdd5bd45b281784fb0e4ca3b

Link:

https://www.unpac.me/results/0506bb6f-6a91-4cf4-981b-85c108d9eea4/

SH256 hash:

ddc087ef9f65b9db5875f5836b47b82cfe0af2d53cb43563033e27e7c3771f3a

MD5 hash:

540e7f8bcd6c5c0b54b37b9de1b65406

SHA1 hash:

ff9aee4beed0c7639240eef49b959970b63c8e58

Link:

https://www.unpac.me/results/0506bb6f-6a91-4cf4-981b-85c108d9eea4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddc087ef9f65b9db5875f5836b47b82cfe0af2d53cb43563033e27e7c3771f3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.