MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0346531afa41316034e3e2165641030345eafb490028b03146b4b137f6b58138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 1 File information Comments

SHA256 hash:	0346531afa41316034e3e2165641030345eafb490028b03146b4b137f6b58138
SHA3-384 hash:	e9926d11ad0b25616000d06b00297ce0ac647ebdbe2a1d079e32c03f3ac0cf2c59d84e5b0db8a11e2611735e3c533618
SHA1 hash:	e8bf29fcef92c5bd855292bd60b44697e89076cf
MD5 hash:	c6b17ac9eeb92c6495fb746bc5393a86
humanhash:	undress-don-purple-missouri
File name:	c6b17ac9eeb92c6495fb746bc5393a86.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	676'864 bytes
First seen:	2021-05-28 19:46:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1a4b310f70283bd6f2d997b56af1e495 (3 x RaccoonStealer, 2 x RedLineStealer)
ssdeep	12288:Kn01q1l/C9r8Cen0AB1T/T3o8ya68IrsmtzAoyB5ko8IrdD:xGl3nlLT3tyYIdt3A5kbIrdD
Threatray	355 similar samples on MalwareBazaar
TLSH	BAE4F1A2B7E2C036F5F312F4B5B582B8A53E7DB56B6841CB12C11AEA1A746D0DC31317
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.17:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.17:80	https://threatfox.abuse.ch/ioc/66366/

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c6b17ac9eeb92c6495fb746bc5393a86.exe

Verdict:

Malicious activity

Analysis date:

2021-05-28 21:26:55 UTC

Tags:

evasion trojan loader rat redline

Link:

https://app.any.run/tasks/8a564e45-4a19-4981-b909-332f38d1cca9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/163058/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36984825.30403.2549.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Sending a custom TCP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/794126

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0346531afa41316034e3e2165641030345eafb490028b03146b4b137f6b58138/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-05-28 12:19:21 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=andfggx2ieywanhd4ilfmqidanc6v62jaaulamkgwsytp5vvqe4a._file

Verdict:

malicious

RedLineStealer

5342ae888cfa86f63f7fc07cfc613871e323106764d2b5c495aa1946800e49bd

RedLineStealer

6117422892b290bd26bde0e3e1e496451c83d276d098336db9d32dea86c16790

RedLineStealer

7341c40c1693ae8350ec3eb83cce1d9e0744340b3dde2241e146b410f54c191b

RedLineStealer

90823e9bf099b873263241a2a7c3435b85fe6480ecb4fff4da9563ba95e7b31e

RedLineStealer

c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72

RedLineStealer

ebed275eba9f8eddb2242c93732b7a213ede149bd79a792de9d6f8dda6d7f3a3

RedLineStealer

ed3f452a9fed41f5d3dfb528d6c05a53298b559775eeec46eda50ad42a714b28

RedLineStealer

fbef875f61027e592a684c32ff682b80d94e95966c42f73a4a04893f876513a7

RedLineStealer

ff43e5ff78c057004608c0595a0d39e06e41ef09ce5be9120eff598a6782c522

RedLineStealer

+ 345 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 27.05 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210528-jt5klmtb8x/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0346531afa41316034e3e2165641030345eafb490028b03146b4b137f6b58138

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.