MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6938eaaaee112bc08f693b635a603b21249d2aa5117cd6a899c88f954227667. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 6 File information Comments

SHA256 hash:	f6938eaaaee112bc08f693b635a603b21249d2aa5117cd6a899c88f954227667
SHA3-384 hash:	6ca1fb5a9a6af61cc435183348a7e57bb8ac1dffad75b2c5f6ea0095b99bfd958b60cba07118c990e54d22282d47cd79
SHA1 hash:	441a3a3d8e3f1a3d24daab8544f5b60a11473970
MD5 hash:	a6c18ea55934592156bf5e3bd8ee7c8e
humanhash:	nuts-wolfram-seven-alaska
File name:	a6c18ea55934592156bf5e3bd8ee7c8e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'383'396 bytes
First seen:	2021-06-08 07:09:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	98304:xWCvLUBsgDAFcgEYk62oBbshs1hHZ16qszZQ/YUXas/HHe/mbIv:xfLUCgDAOgEYk+BbshsjZ18zZ4YYasfw
Threatray	37 similar samples on MalwareBazaar
TLSH	4716330076D1D4F9D7A06B39FACD9FB780708A65162A18FF7760E14D6E2CC11E62BA0D
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
162.55.55.250:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
162.55.55.250:80	https://threatfox.abuse.ch/ioc/67974/

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a6c18ea55934592156bf5e3bd8ee7c8e.exe

Verdict:

No threats detected

Analysis date:

2021-06-08 07:26:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e882b974-7fdf-49bd-a434-c10984b20806

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/165216/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Barys-9859550-0

Win.Trojan.Jaik-9862229-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Win.Malware.Jaik-9865559-0

Win.Malware.Jaik-9867480-0

Win.Malware.Jaik-9867552-0

Win.Trojan.Jaik-9867734-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Searching for the window

Sending a custom TCP request

DNS request

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/798592

Signature

Antivirus detection for dropped file

Machine Learning detection for dropped file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6938eaaaee112bc08f693b635a603b21249d2aa5117cd6a899c88f954227667/

Threat name:

Win32.Trojan.CookiesStealer

Status:

Malicious

First seen:

2021-06-02 09:22:07 UTC

AV detection:

27 of 47 (57.45%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=62jy5kvo4ejlychwso3dljqdwijetuvkkel422ujtsepsvbcoztq._file

Verdict:

unknown

RedLineStealer

360ae682470c27ef1e4a70a89aed9d14bb6f6260a5609b391c0d67220f91a306

RedLineStealer

46e99e70a21a9ecd28e61195f175bea9260eea38b1718f6750166688d955e91e

RedLineStealer

59c98f1846f03efaa1a594b76b320e3f35ecd53e9ed640bb360bdcf0a41f3c2d

RedLineStealer

5b73fe2b2388fcd2b0f2c71f8499221e5ccd1bcfc4e31d2140d5eca1c3a45414

RedLineStealer

679d4240ec3562404c1222d91bb2594cb90843b5aec479ce75bd47d4a4e8b780

RedLineStealer

df102108e8beb55334e3976e1cb7f389e8f9ecd23a12c4d71c22921626938c50

RedLineStealer

e7c3cea59ec83faa8886c1a5d0b0eabd00cf68ae8491ad6a985f3b6e422c0d19

RedLineStealer

ec606c6695e9c2716c8b3eb6c8b45d085caa03658274366a846ad37c452bd65f

RedLineStealer

f3b3bf03f311300ba76f4de3376ff21b3b1971ccbc90e24638ab15c2b42ef79b

RedLineStealer

+ 27 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

aspackv2

Link:

https://tria.ge/reports/210608-cb8vk9492j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Unpacked files

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

35d970ddc304328a2408d39cc56803cf0b7f532387e23594b8b2fb82185b546a

MD5 hash:

04498c94e0c929b3aba33c29d459b593

SHA1 hash:

f9f3fd7a4f694b117f6c897c65b57a64a9ef9847

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

362e9911976a10b0091c7b28e43345d1c2f78fd2c4670e56b668a480d32f2942

MD5 hash:

29210d8751dd24b12366ac06baa97ee5

SHA1 hash:

9937394e97a5bce4904bc41fe95f971370893640

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

a17d5baaee1e1af455d726b0a14c3f180cc17273e9b8e2e9690d7762c1301538

MD5 hash:

5b6273f3dc77eb527bab9fbafde1998e

SHA1 hash:

f0ca4830102b2760a937fb3c4cc1364cdd0ab694

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

fcb8d43635aa485c8b25f1140ba4e56f6f0cbf3054d5dedc96a851d4731a2a6f

MD5 hash:

695c2eff3b7705b6a2d4d25a2692c132

SHA1 hash:

73c2dffcf2e7170d8bfda8cc7282b2bf7bb5f199

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

Parent samples :

1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
e79f148128e425bd5353039f515bd64a9b562ac0897306d81dad0b529ffbea3a

SH256 hash:

0edfac6be11732ddd99db66821ee47408c2dc1e9bed68e5ef9a8e130c565b79b

MD5 hash:

cbd6029abaa8e977d3b7435c6f70dd0e

SHA1 hash:

ebb89d4d7659ef77b658a86ad00dba0ead869f4c

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

9a9a50f91b2ae885d01b95069442f1e220c2a2a8d01e8f7c9747378b4a8f5cfc

MD5 hash:

957460132c11b2b5ea57964138453b00

SHA1 hash:

12e46d4c46feff30071bf8b0b6e13eabba22237f

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

dd40c1f57f93e50fc495be3d732b66ad4b8382d1bb5a046f420c0011a26f0561

MD5 hash:

3a6161de601079801bcdafeb2f30f08a

SHA1 hash:

6a9bc4683a57e44981f74217786bf201b342a21b

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

7704c4712c432db0c9b9e57ca1c15a3b5d2072cf3ede04b671a92c196f46172e

MD5 hash:

a7e4bfacf721b725d39fa023e0130200

SHA1 hash:

682718ecdbad703fa5f132b57c6f6da87f7eaf42

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

fced8a5ad324b478f3ca1de3a1f7c67847851aed64e7e2576b2ab49aecdc22a7

MD5 hash:

46845a914d94a9beeba2415561c4a690

SHA1 hash:

0d1f8347f1ef8df415e2a1ff70f79bbbafd39a38

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

665fd4e26d83bab4cec9c8877f08555e04d32fd79a75c3e108e71fd18ba486a6

MD5 hash:

c3a3c03f97b82b48cca09e00a7dad774

SHA1 hash:

d197368cacafc0bdf2f12d3ff0643113ba5e18ab

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

d19808c396ba4a44568024be9266beee7442d26da23c2a372f7707c0b8232d8a

MD5 hash:

244925bfacb9a951c3cb1bf346b8372c

SHA1 hash:

d02440131939fe73f6e6ae161ffb98cb1e8e1f11

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

eb3691d3a707c8b1d5b45402ef3344d7e6388eaac64065a13cf5c9afa53a2b01

MD5 hash:

3038ae600c1657fad2fdc1a3072820d2

SHA1 hash:

6a855667f0219302dbe1ab2c80feb56c8822051b

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

e166dc55a9bda23dab9b0d4dfdb099f97574afc771db19d3bf02b0f3773b09fe

MD5 hash:

618e40ea69d4372879af82e360decc7d

SHA1 hash:

451abbe55ec1a7b855207142dc2fc517dc8d016b

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

f6b8b44e47658ee410c33a86b340ba0e6eadeae1b276feb947406b50c1ac804c

MD5 hash:

ea2b9402fa612abd3cc1418cad0a4644

SHA1 hash:

3ea4426b7dbc47063ab6eee8a6c6b22762c30ace

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

16475b2a669b3861115e4d166097006d9a523b4e73be8446efc166fdee8174f3

MD5 hash:

6024b3fd3069c2492fdc0b22626cf78c

SHA1 hash:

2e2ca98c9e2f9f8b41557c1bda11fc27ff8f5804

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

48dcd9dd2293c0eb836460916be8bcf08d20191e1af9851ff5bc75b7344eb905

MD5 hash:

2db518688116cdd0bf10081244f4dc66

SHA1 hash:

26f13e8c836ed665440547a5053583a4d20185cf

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

MD5 hash:

5e6df381ce1c9102799350b7033e41df

SHA1 hash:

f8a4012c9547d9bb2faecfba75fc69407aaec288

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

b26d99296cc1f38ad735c36a305eb206b8a9022e92b463886ed918f42dee0b04

MD5 hash:

9decb9ebf19e4e45bd75f175140e1018

SHA1 hash:

c9d35d2bc78dd37270dbe17f2555324c6f560d11

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

98d74bfc71cb34b84f51bc60f20cd526f152f135ff6a29e452a89c40167bd5e2

MD5 hash:

777068d1c2df1f73feb7a220f130811b

SHA1 hash:

45c6b0a9f9c5f9881f89464e70f25178fc04d63d

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

54248b794451324ee49db029d650eb5c46a972a8f1c18b7a1344678b3264e16b

MD5 hash:

e1dd7747ea6eff6d1d63ea97d55f38b1

SHA1 hash:

5d69c1351919cd3673cd6e4285914ae16cbf0f3b

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

80028728d5e666c3ed670589118c3d6324d1c8f05fb9f008f48973db0b7676ae

MD5 hash:

65db0288987a32d62f1415ac86bd602c

SHA1 hash:

917226ed5ae06ac597dea27b810aa80e760c7ba4

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

6ef04bc21bd5332e6664472ad204cac152ead135537fa30b0e8713c85c4a2fa5

MD5 hash:

65fea9db25a144ec6f3040b96e4cbeb9

SHA1 hash:

df8927e67bed5feaa5427a91dafef935be1e6374

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

67a6a4e6e089442b7ce5c9173528a0fe5f14295bdf061ca9d9ceb2745ae758a3

MD5 hash:

76bb1df0d86dc52a5dfb404cd612eedd

SHA1 hash:

0a4024fbcdd9fa16949d1154b3ad098023b69777

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

SH256 hash:

f6938eaaaee112bc08f693b635a603b21249d2aa5117cd6a899c88f954227667

MD5 hash:

a6c18ea55934592156bf5e3bd8ee7c8e

SHA1 hash:

441a3a3d8e3f1a3d24daab8544f5b60a11473970

Link:

https://www.unpac.me/results/5dc559fb-7618-432a-9a98-518ceff4e92d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f6938eaaaee112bc08f693b635a603b21249d2aa5117cd6a899c88f954227667

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	UAC_bypass_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/165216/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample