MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 150d707cc2e9d784f0fbd252163607d356f8e0895f5780fb592009f276d44cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 150d707cc2e9d784f0fbd252163607d356f8e0895f5780fb592009f276d44cf7
SHA3-384 hash: 5281cf7f9bb5698139d940bf5a953a65e024424eae3a17c0439141b86b32852a86f3a45ef3ed2353f794f03fcf97e1bc
SHA1 hash: fa10b151d7a3444e5471aed19d110918641a90ab
MD5 hash: d119ff15dcdd36ccc4cfbe62b39e5e1b
humanhash: juliet-magazine-purple-nine
File name:d119ff15dcdd36ccc4cfbe62b39e5e1b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:392'704 bytes
First seen:2021-05-20 15:19:15 UTC
Last seen:2021-05-20 17:12:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 63b5f22f46dd8215a05df479a97ff24a (1 x RedLineStealer)
ssdeep 6144:cSqmNu1z39DEnIWwTBXPw4bzmPEzfesiYumlrHdbsaXRLVFNoQmhMkCEvibmM/G4:cSVNu1T9DEnKX9zfFemlu0v0CfKg3
Threatray 2'079 similar samples on MalwareBazaar
TLSH 23849D01F691C034F5F3D6F54ABA92B9E53E79A1672490CF22D42EEA5A746E0EC31313
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5624a868327f9790df66cd209a7583e7.exe
Verdict:
Malicious activity
Analysis date:
2021-05-20 15:24:45 UTC
Tags:
evasion trojan loader
Link:
https://app.any.run/tasks/43c250d2-0212-442a-b345-1a27e7fa3c12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/159776/
Detection(s):
Win.Malware.Pwsx-9863541-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/150d707cc2e9d784f0fbd252163607d356f8e0895f5780fb592009f276d44cf7/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 15:20:18 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cugxa7gc5hlyj4h32jjbmnqh2nlpryejl5lyb62zeae7e5wujt3q._file
Verdict:
malicious
Similar samples:
07b18b26f93bfd5240f4afbc62dc9762ad594926aeff9ecec0de7fb4a7b70822
RedLineStealer
2a8f13cc0d990ecfd9c2a6f3120b97bc9faa27251e54c1d2e27f80453f29f60a
RedLineStealer
45cfc2ce1e033a00c42202e16a7ba83229688d49d7776e175488c56aade45558
RedLineStealer
a990f23cc27493dc2ad2d71e2b6b0fea99678e75356bf55c36e4643bffeadff3
RedLineStealer
b49705b778cdfbc7540bc70f8ec02b313f302f600b5fed77803c342376853fe8
RedLineStealer
bdae4240709c06d733b9d67851a9d5f159102d145ab7f57ab689358a196916bf
RedLineStealer
c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72
RedLineStealer
de4abe01eb6864f00aea5ec59c9284853db91453165dae34a9bd1f7170461fcd
RedLineStealer
eeeb63ae9b769764bd474d5367d3a0c4efaba149d355595de5be92fafe08de19
RedLineStealer
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
RedLineStealer
+ 2'069 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210520-ynf87apmba/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/150d707cc2e9d784f0fbd252163607d356f8e0895f5780fb592009f276d44cf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 150d707cc2e9d784f0fbd252163607d356f8e0895f5780fb592009f276d44cf7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1261248/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/159776/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-20 16:34:19 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0045] File System Micro-objective::Copy File
4) [C0047] File System Micro-objective::Delete File
5) [C0049] File System Micro-objective::Get File Attributes
6) [C0051] File System Micro-objective::Read File
7) [C0052] File System Micro-objective::Writes File
8) [C0033] Operating System Micro-objective::Console
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0043] Process Micro-objective::Check Mutex
11) [C0041] Process Micro-objective::Set Thread Local Storage Value
12) [C0018] Process Micro-objective::Terminate Process
13) [C0039] Process Micro-objective::Terminate Thread