MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0aa9e2cd810d02afb47a4dee2f52d2b8e69f37d167d5a686fe654637cca78a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 1 File information Comments

SHA256 hash:	f0aa9e2cd810d02afb47a4dee2f52d2b8e69f37d167d5a686fe654637cca78a0
SHA3-384 hash:	0762656e9816b61ea5fc94969c28645c1e6a6642f60449bb4b9b46ce74dfc026535b2bc0d3309c2655c1aad180f7070e
SHA1 hash:	76d7d840f5db3a8834b37e7059840dab7c399636
MD5 hash:	c7d050afda523d484103b41110524c26
humanhash:	ten-sweet-december-spaghetti
File name:	c7d050afda523d484103b41110524c26.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	407'552 bytes
First seen:	2021-06-21 09:06:17 UTC
Last seen:	2021-06-21 09:42:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	123708792297e850a475b64837725c34 (2 x RedLineStealer, 1 x CryptBot, 1 x Gozi)
ssdeep	6144:3snGHYRsVFy/NJ3mTFgKbvmzC0Cobc6zTPiXxuG+j4W1ZKriuBz:EGHosVFy/NsFgK6Wybc6zTKXwGrklM
Threatray	2'779 similar samples on MalwareBazaar
TLSH	0F84BE11F7A0C035F2F762F8567693A8A93E7AA16B3050CF12E51ADE5A347E0AC31717
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
176.111.174.254:56328

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
176.111.174.254:56328	https://threatfox.abuse.ch/ioc/137666/

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c7d050afda523d484103b41110524c26.exe

Verdict:

Malicious activity

Analysis date:

2021-06-21 09:09:13 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/6fb23e46-993c-4705-b400-89af4b6aea8f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/167243/

Detection(s):

SecuriteInfo.com.Troj.Kryptik-TR.26879.21860.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8fcd9575-0466-4dc6-bdf2-ef1117fc3938

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/805219

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0aa9e2cd810d02afb47a4dee2f52d2b8e69f37d167d5a686fe654637cca78a0/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6cvj4lgycdicv62hutpof5jnfohgt435cz6vu2dp4zkgg7gkpcqa._file

Verdict:

unknown

RedLineStealer

341041d0a586d0c8cc0f8e9b870dc3961fb95ea2593497df88b40cbed79813ca

RedLineStealer

393b838448bbfc184a018d6aedd6f28a38226e60a45bbd7df441f05298be45d0

RedLineStealer

3e503d31e990d9452c5f5ee146e7f83f46df6b034563f8a6d10959de7b43ae78

RedLineStealer

4cce764abc9c530276a82397c4200fe0ecb2c8137ef1d1b91ad38beccc37b02b

RedLineStealer

4f3a351455832dca36b70f79c591d224fd52865d5b7b47cab749e8791044d625

RedLineStealer

7f375d7a2e62835d9436ee95f499da5cdcbf03b3be43bbcdb2cb674f0b834690

RedLineStealer

8f505de01044f7c78890ea859ac813af388145086cc3e84719913eaf53fd2d18

RedLineStealer

ae52d2f4e14221b91efcf31a18b1f9e288ee2d342786e8250a7b6ec25833d148

RedLineStealer

e11501c9e16a2f69751da6f5d8d2e5ff3023eea48baf5008a197e20a2ffd66be

RedLineStealer

+ 2'769 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210621-4cz3zqrzlx/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Unpacked files

SH256 hash:

aa6cc42ad1c627460a4c54cfa46fa1934518c510d2bdb323ee119c460136ed3f

MD5 hash:

f2eb93b3bbe3cad8a4b76e74ffd3ccff

SHA1 hash:

e018afa2e24e5eb03598d37d9142674ad1d7ac2f

Link:

https://www.unpac.me/results/65dd716f-2d6e-4998-8bec-f718cd2a9a73/

SH256 hash:

7296d60423fbfc4877e7bbb0c1352d0756908f9fbc53679bce463320e3a382f0

MD5 hash:

7ca1af0d05d832e6039ddb2629c6007f

SHA1 hash:

b3cf5b027fa6ee5a6cebb33bde0b36eb17e9956c

Link:

https://www.unpac.me/results/65dd716f-2d6e-4998-8bec-f718cd2a9a73/

SH256 hash:

8c7cdb6916702d2387737927da9a3c49a6f4c1033545c1ed9bb37fc2829e4803

MD5 hash:

dca556c5c11a934a767c12ac44f179e5

SHA1 hash:

900f5ad3481cdb4f82dccf97d0b7ab272e599dce

Link:

https://www.unpac.me/results/65dd716f-2d6e-4998-8bec-f718cd2a9a73/

SH256 hash:

f0aa9e2cd810d02afb47a4dee2f52d2b8e69f37d167d5a686fe654637cca78a0

MD5 hash:

c7d050afda523d484103b41110524c26

SHA1 hash:

76d7d840f5db3a8834b37e7059840dab7c399636

Link:

https://www.unpac.me/results/65dd716f-2d6e-4998-8bec-f718cd2a9a73/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0aa9e2cd810d02afb47a4dee2f52d2b8e69f37d167d5a686fe654637cca78a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.