MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dffbe02df3d40056daba3e9227a42085a4ef56f2d0406292d99e66fa9e69bdaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dffbe02df3d40056daba3e9227a42085a4ef56f2d0406292d99e66fa9e69bdaa
SHA3-384 hash: 05e8d8605e12c8105a8c4b2bbbf06e4c1716c2b64443248a49545f943b9de8dc88aeb9756ea78f2409aa3ae056b8d695
SHA1 hash: 0fb20fb5f337c8a9e0f660dcf4443f14fd9d35f0
MD5 hash: 16bb74d6bbeadbe69a9ad1a4fac6a690
humanhash: neptune-vegan-mobile-eight
File name:16bb74d6bbeadbe69a9ad1a4fac6a690
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:355'328 bytes
First seen:2021-06-17 04:52:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b0d3854c557fd79a46b820c312bd2709 (2 x RedLineStealer, 1 x DanaBot, 1 x CryptBot)
ssdeep 6144:zIIIxqHbApzfbRyQWvLPe9Bo2Q+dmcaX+yxSVq8/d:zIIIxwApPRdWvMQbZxAVF
Threatray 728 similar samples on MalwareBazaar
TLSH E474BE21A7A0C039F4B752F48A7993B4A53E7AB1AB3490CF52D626EE57345E0EC31317
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.110:5698 https://threatfox.abuse.ch/ioc/131637/

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16bb74d6bbeadbe69a9ad1a4fac6a690
Verdict:
Malicious activity
Analysis date:
2021-06-17 04:54:30 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/7bbefbca-4f01-437d-9abe-f42a376e2059

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-9871694-0
Create hunting rule

Win.Malware.Trojanx-9871782-0
Create hunting rule

Win.Dropper.Stop-9871783-0
Create hunting rule

Win.Malware.Pwsx-9872042-0
Create hunting rule

Win.Malware.Pwsx-9872132-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2261247d-00e4-49da-84a4-4ab283d7f8da
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803470
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dffbe02df3d40056daba3e9227a42085a4ef56f2d0406292d99e66fa9e69bdaa/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 04:53:09 UTC
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3756alpt2qafnwv2h2jcpjbaqwso6vxs2bagfewztztpvhtjxwva._file
Verdict:
malicious
Similar samples:
261728fc1400289488ed7168916b8752a2633c638724cb1653f671568437545c
RedLineStealer
2fb6bf1f605b4441037e7870f0060ad5e5bdcfd9b8ad065a42dc953be5c8d321
RedLineStealer
365fd289daa60e68b54237aaec835baaf8e2cab5050c7982d2cf6dd7061842d3
RedLineStealer
62a47f5b00fd13033debb845a6874afb640b98b09038a3d70a6f76d3de27bea9
RedLineStealer
69de80bd429baa31213095720ab61e8a8ddd60212e735388c4d1af4202e2bd1c
RedLineStealer
6bb6382059170763745610333f5d787ad85861b750c217e3e04a9142d38af5ae
RedLineStealer
7a6db2fb6f1844f2003b1b6d914728331c90c9aab0adda7e75dd13c69c05aa2f
RedLineStealer
8a8f2fcbf0fa6b25c104baffe243b23a0b7ee7dd984669584c0118e54d92e39d
RedLineStealer
c7dac0da25d58206459be8af996568547c3df0f76149c741e607249af4c47a67
RedLineStealer
ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c
RedLineStealer
+ 718 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210617-8grezng61n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
2ea6bd2ddf00deae9c133dd9df3d4d0d3e0f5de24046d701526de076dd3e5f12
MD5 hash:
8a97982c0fecb63a066e7871c4721a2e
SHA1 hash:
95be05f599b0216e25b607eef1c808e9eade841a
Link:
https://www.unpac.me/results/1a443337-d9c8-480f-9c7e-3238e4976bde/
SH256 hash:
f5f7a8d15b82031ccefba82b4f576846391c71f1b9df9dfba18b457b51c167c9
MD5 hash:
4b6d177355b3c944cb1618e4326f95d2
SHA1 hash:
923102f3382e66c0b7ef298a30003656cdac773d
Link:
https://www.unpac.me/results/1a443337-d9c8-480f-9c7e-3238e4976bde/
SH256 hash:
6ca832973f1a493e5f85f789a88682ae7aeb8a09c1fd7586e8038b967ac0d268
MD5 hash:
1aea4e9b6261739236d6d90d60dea7b1
SHA1 hash:
339f377d2406f1c2358cc9d0d5f1ec336181ee72
Link:
https://www.unpac.me/results/1a443337-d9c8-480f-9c7e-3238e4976bde/
SH256 hash:
dffbe02df3d40056daba3e9227a42085a4ef56f2d0406292d99e66fa9e69bdaa
MD5 hash:
16bb74d6bbeadbe69a9ad1a4fac6a690
SHA1 hash:
0fb20fb5f337c8a9e0f660dcf4443f14fd9d35f0
Link:
https://www.unpac.me/results/1a443337-d9c8-480f-9c7e-3238e4976bde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dffbe02df3d40056daba3e9227a42085a4ef56f2d0406292d99e66fa9e69bdaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe dffbe02df3d40056daba3e9227a42085a4ef56f2d0406292d99e66fa9e69bdaa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1372256/

Comments