MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 321d63317ced77342c3941d1eaeb6afda9399d15fe0716db550ebc2c793d4bb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 321d63317ced77342c3941d1eaeb6afda9399d15fe0716db550ebc2c793d4bb2
SHA3-384 hash: 2ba3664a844c1fd5b8e560e2ae5636f5738e794b633d0fabc3d515f3a88b7bb9ae4a1c54d6abb0349ebd5f34205c99a2
SHA1 hash: 8090f27e71df4a876fe4be748b131217d70d685c
MD5 hash: c3fbe965abc873867051ab178296936d
humanhash: pip-beer-connecticut-lamp
File name:c3fbe965abc873867051ab178296936d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:367'104 bytes
First seen:2021-10-02 09:05:51 UTC
Last seen:2021-10-02 10:03:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2acca7007d519418a75fa59166363dda (6 x RaccoonStealer, 5 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 6144:evp+xGg3PxebZ+uQu7rRvJ0eF01SFGGph0lfy30VB6mcQFTMiTdHWy3s+eaa0pk7:exsf3PxeN+uQu7rRGj1SFGjZ/Si5HVVk
Threatray 2'469 similar samples on MalwareBazaar
TLSH T1FD74C030B7E0C034F4B756F549B5D3B8A92C7DB1AB2491CF62E42AEA56346E49C30787
File icon (PE):PE icon
dhash icon 60f8e8e8aa66a499 (4 x RedLineStealer, 4 x RaccoonStealer, 2 x Stop)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
178.63.26.132:29795

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.63.26.132:29795 https://threatfox.abuse.ch/ioc/229500/

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c3fbe965abc873867051ab178296936d.exe
Verdict:
Malicious activity
Analysis date:
2021-10-02 09:08:45 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/3b4132be-c6ca-42d5-99fc-e308a4e641ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194168/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.27383.6057.30030.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a service
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Reading critical registry keys
Deleting a recently created file
Stealing user critical data
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95c1f85c-098e-4b98-bff5-d6d868f4aa04
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863147
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/321d63317ced77342c3941d1eaeb6afda9399d15fe0716db550ebc2c793d4bb2/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 09:06:24 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=giowgml45v3tilbzihi6v23k7wutthiv7ydrnw2vb26cy6j5joza._file
Verdict:
malicious
Similar samples:
071de1296849488b15bf1c95f88a7d0eeffddb1f52a245b8afa1ce453b2e9206
RedLineStealer
3ddfd655e04706ed9ce5d6522af4efd80feb1ee294dc2ba33036b02eb61a204b
RedLineStealer
5a1bda5759449a4fa40c6ba85efa7633671d528e09b97be0702ccf0721453184
RedLineStealer
5e819a250169bb6259dd91ba0130030353b19032f243564003b0998a76743cb2
RedLineStealer
627c5b7ac30abcd4d7040f98e6a4242627213bea3d91099961be6bce823c664b
RedLineStealer
6505008c814246965748bdbfe7c034fcab75cc435a66b6ccfdd366927befb6ed
RedLineStealer
7b440bf2809f46380e48a7d4f5d8644f457734f628a5cd86cb07e8af17d03354
RedLineStealer
f1a569c0cacca1b3440f4cc2f22898a032c52c92245d9059be57e336510fdb5e
RedLineStealer
f1a5fa05cf56545d866bf1caea4cfb7cd409fcbc6792892658f6fdc32679e08b
RedLineStealer
fcf92d139a6b81c112d1357f3c118617bc08205e957a9e9475e9caa52fa7c934
RedLineStealer
+ 2'459 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:paladin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211002-k2rczsecar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
178.63.26.132:29795
Unpacked files
SH256 hash:
369173cd39240e2bcfea6193f8c61a7a7d64d7fe3518748abe35ddaf9a47bee4
MD5 hash:
d4c01e4a11d5f3a15d1238adac75341b
SHA1 hash:
7f03fe7ab42282ff8d71f08ef864ec91dcc7e820
Link:
https://www.unpac.me/results/dc865761-ba2d-4f1e-a500-f59c70b1599d/
SH256 hash:
7d80bb48dbc775cdfff203da1d4450ec57c22375d4ba2f917b5425cdbdd41831
MD5 hash:
b830b6f7c2c026ce163a9bda0d44b570
SHA1 hash:
5e3231d95c99d2582f6b60d89cec37e57717d1c6
Link:
https://www.unpac.me/results/dc865761-ba2d-4f1e-a500-f59c70b1599d/
SH256 hash:
b439f898061b04fa803f826b57c330336f93dbe6949e27ad0da86422781ffb7d
MD5 hash:
19f232c33a1c2f36c26dd4b9b7fe3001
SHA1 hash:
155928c673cf5dec3b558783da746fead5526368
Link:
https://www.unpac.me/results/dc865761-ba2d-4f1e-a500-f59c70b1599d/
SH256 hash:
321d63317ced77342c3941d1eaeb6afda9399d15fe0716db550ebc2c793d4bb2
MD5 hash:
c3fbe965abc873867051ab178296936d
SHA1 hash:
8090f27e71df4a876fe4be748b131217d70d685c
Link:
https://www.unpac.me/results/dc865761-ba2d-4f1e-a500-f59c70b1599d/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/321d63317ced/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/321d63317ced77342c3941d1eaeb6afda9399d15fe0716db550ebc2c793d4bb2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 321d63317ced77342c3941d1eaeb6afda9399d15fe0716db550ebc2c793d4bb2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1616291/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194168/

Comments