MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f55c9df2c4d097c3d48727ebcd887817b6a4b0e613220a7d2007c2fadce83779. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f55c9df2c4d097c3d48727ebcd887817b6a4b0e613220a7d2007c2fadce83779
SHA3-384 hash: 196d7f7586b970061569c3eee1ea107c6460d44db0e5a6063ad3f8f820cd8d6cfceb6c42760bc07de1623815a3e31a52
SHA1 hash: 78318fb4a3e1f197013d9141e3b84260a0c91d83
MD5 hash: e62f7ded1ebcbabad0196817026652c9
humanhash: massachusetts-quebec-alanine-ink
File name:e62f7ded1ebcbabad0196817026652c9
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:291'840 bytes
First seen:2021-11-05 00:06:25 UTC
Last seen:2021-11-05 01:28:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d072324798956717a479868e71b5c9d (4 x RedLineStealer, 2 x KPOTStealer, 1 x Smoke Loader)
ssdeep 6144:lRHSnBjU6YQJ7Nkl489oyL4VRnUAUPTxahoJWRV3Id:EhU6FJSl489+VcTxAe
Threatray 4'077 similar samples on MalwareBazaar
TLSH T15654F10172B1C472D1A7653049788F654A7FBC7629B480CB2B60E63E9EE16D0CE7672E
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e62f7ded1ebcbabad0196817026652c9
Verdict:
Suspicious activity
Analysis date:
2021-11-05 00:08:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1f673848-9c56-445f-a925-2de422764a74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202520/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.26952.13617.23179.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/618475a8c03a81a502410d46/reports/52b60c49-7e26-4702-a6a4-9bed0a8246a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d098a715-8853-4ba2-a187-8f43e4c5391e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/883625
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f55c9df2c4d097c3d48727ebcd887817b6a4b0e613220a7d2007c2fadce83779/
Threat name:
Win32.Trojan.MintTitirez
Create hunting rule
Status:
Malicious
First seen:
2021-11-03 07:44:24 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6voj34we2cl4hvehe7v43cdyc63kjmhgcmrau7jaa7bpvxhig54q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc
RedLineStealer
45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374
RedLineStealer
68c309ec74f6dd5ec81d2fd23378a84b9d8091ccd28bc8e5f962fabd82e526f8
RedLineStealer
9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7
RedLineStealer
a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c
RedLineStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RedLineStealer
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
RedLineStealer
e6ca993622f30ef00a363974264e50490b09782104c79d87f02ba17cd3746da3
RedLineStealer
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
RedLineStealer
f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041
RedLineStealer
+ 4'067 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:krip infostealer
Link:
https://tria.ge/reports/211105-aebnxaaad3/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.211.251.200:52562
Unpacked files
SH256 hash:
8dd6ade921b8227482e0d4a2cabe905ead957e5abd10a0797f510596915c957a
MD5 hash:
fd06ddca700c84061b98979fdaa0f744
SHA1 hash:
b49f9ae1a48c088bfd8a9feb621dee86fed9d772
Link:
https://www.unpac.me/results/468c7210-cd22-4797-ae36-0d158bff5f13/
SH256 hash:
a8c334fe33aff46904892c4724632cb7caddff96d9cbc47be7214e6b957288ae
MD5 hash:
fc4de7c761d775b8532c95a88bd40ef7
SHA1 hash:
428d5d4d3a4341adfd0f2fd7d1a366bf6f50ab3f
Link:
https://www.unpac.me/results/468c7210-cd22-4797-ae36-0d158bff5f13/
SH256 hash:
ece2bf565c3eca4746dd3d14e9999b23c46088eba20ed603ef0ae9862ae1ced2
MD5 hash:
9d808492fce9e7d6fdefcc80c3a1ed52
SHA1 hash:
404ad5ca9b09644704b7623b56d459d687d9cc4a
Link:
https://www.unpac.me/results/468c7210-cd22-4797-ae36-0d158bff5f13/
SH256 hash:
f55c9df2c4d097c3d48727ebcd887817b6a4b0e613220a7d2007c2fadce83779
MD5 hash:
e62f7ded1ebcbabad0196817026652c9
SHA1 hash:
78318fb4a3e1f197013d9141e3b84260a0c91d83
Link:
https://www.unpac.me/results/468c7210-cd22-4797-ae36-0d158bff5f13/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f55c9df2c4d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f55c9df2c4d097c3d48727ebcd887817b6a4b0e613220a7d2007c2fadce83779

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f55c9df2c4d097c3d48727ebcd887817b6a4b0e613220a7d2007c2fadce83779

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1752865/
Cape
Cape
https://www.capesandbox.com/analysis/202520/

Comments


Avatar
zbet commented on 2021-11-05 00:06:26 UTC

url : hxxp://host-host-file6.com/files/4048_1635882342_3023.exe