MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cd806676a941c35dafb31a02bfd75d6acecc3c6fb8567fe2b5c1e41bd6a59e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	2cd806676a941c35dafb31a02bfd75d6acecc3c6fb8567fe2b5c1e41bd6a59e3
SHA3-384 hash:	817f0f98f2930601468e845f3dead52d9b3f01847f161b04a12d64b28c1581ed81e6391d15d825ecc57fd7b29539704a
SHA1 hash:	373eb65f23f9d4f5cc3c095095d7bd0c79ce5db4
MD5 hash:	4d91759b1aab6958b37c9d4b04093bbc
humanhash:	fanta-sierra-ohio-finch
File name:	2cd806676a941c35dafb31a02bfd75d6acecc3c6fb856.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	366'080 bytes
First seen:	2021-05-28 19:46:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f648f82da86c29e8b6c0971365e00e98 (4 x Stop, 2 x RaccoonStealer, 2 x RedLineStealer)
ssdeep	6144:00wBVCcclctRx1YaLh4IgSKW1vLQhggLFDQ/BBGtbrZkUS:00wBQccl6x1YcyW1vLB4FDQZMtBkU
Threatray	582 similar samples on MalwareBazaar
TLSH	7474AE10A7A1C038F5F212F447B693BCA53F7AB16B6494CF52D42AEA5A346E0EC31717
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.17:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.17:80	https://threatfox.abuse.ch/ioc/66366/

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file1.bin

Verdict:

Malicious activity

Analysis date:

2021-05-28 05:38:16 UTC

Tags:

trojan opendir loader stealer raccoon evasion rat redline

Link:

https://app.any.run/tasks/16dd54b1-803e-47c2-b3db-39b114026671

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/163061/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46372135.12961.1056.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/794056

Signature

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cd806676a941c35dafb31a02bfd75d6acecc3c6fb8567fe2b5c1e41bd6a59e3/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-05-28 01:03:52 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftmamz3ksqodlwx3ggqcx7lv22wozq6g7ocwp7rllqpedplklhrq._file

Verdict:

malicious

RedLineStealer

47162ef38e515cecd61c767bc97b7588a985c65d56f858bd8b85789bbdd66d80

RedLineStealer

5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b

RedLineStealer

7341c40c1693ae8350ec3eb83cce1d9e0744340b3dde2241e146b410f54c191b

RedLineStealer

a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b

RedLineStealer

bdae4240709c06d733b9d67851a9d5f159102d145ab7f57ab689358a196916bf

RedLineStealer

bec5357c8a455639460f76de7bac4220c225a1770cfb5448de3c8885a22a8ba4

RedLineStealer

c7d64e661c96d03e4b08bf7edb1e9667743133eb72207f19ebfe3f4cb6c7a4b7

RedLineStealer

cd661266f7067a157d4e04654ba155341e544a36e3a3c430afc230ba015c3f5a

RedLineStealer

dac8697e24dbe30b33cc0de5ac7584319b134ad59d11aeffdecb861a6868a8a3

RedLineStealer

+ 572 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 27.05 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210528-v5k7s4e9d6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cd806676a941c35dafb31a02bfd75d6acecc3c6fb8567fe2b5c1e41bd6a59e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.