MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32fae971a0e5dac6c60827e5376a689d65832e56181f96dab9b0d15c606d0ed9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32fae971a0e5dac6c60827e5376a689d65832e56181f96dab9b0d15c606d0ed9
SHA3-384 hash: 12806c572e1155c9553a5c58bca5509146c500215763ad15439f312436da81799c79aa7d27745d92f2c1fabfd3f4a57b
SHA1 hash: aac1d4bc6a3d082f78720ef0475fd274d2124028
MD5 hash: 77ede3dc86e10ef96166c983ae35df97
humanhash: arkansas-one-stream-hot
File name:77ede3dc86e10ef96166c983ae35df97.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:389'632 bytes
First seen:2021-06-02 11:21:34 UTC
Last seen:2021-06-02 11:59:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56f05d258312142ce96e49dab5506ef4 (7 x RedLineStealer, 3 x RaccoonStealer, 3 x Glupteba)
ssdeep 6144:YuWBGqseM6rJYvcKA4IUp1+C7mVAAw7r7+o9VHvXyJu/:YuWBGhTiJlKA4ZT7mmNvygHEu
Threatray 780 similar samples on MalwareBazaar
TLSH 22848D10ABA0D035F1F235F45ABB92BDA52D7DE1EB2450CB62D46ADA5B346E0EC31703
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
77ede3dc86e10ef96166c983ae35df97.exe
Verdict:
Malicious activity
Analysis date:
2021-06-02 11:26:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/873e193d-319d-4e48-b0e1-ea545ea52873

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164022/
Detection(s):
SecuriteInfo.com.Troj.Kryptik-TR.17268.12738.UNOFFICIAL
Create hunting rule

Win.Packed.Generic-9867605-0
Create hunting rule

Win.Malware.Generic-9867727-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/795842
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32fae971a0e5dac6c60827e5376a689d65832e56181f96dab9b0d15c606d0ed9/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-06-02 11:22:17 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gl5os4na4xnmnrqie7sto2titvsyglswdapznwvzwdivyydnb3mq._file
Verdict:
malicious
Similar samples:
0acd7696d5dc482aa3b4110fd60c6b9f2df88545f6cf9986714a984673965249
RedLineStealer
37a8c9dbb2bd8c64a1fe0e1d72e812db8e54411e2a97598ead5555fd0b1127c7
RedLineStealer
4deb8887fb1ac1b6cc881ad17c732f934a5673d0f15184acfe5678af8eb2b285
RedLineStealer
9c57d0fc5a49debe9dbb49bfebe011bcf249542f6bbd4eefd41c75c3b5ff7d51
RedLineStealer
a481ea6b643ad753a5538ec13c9f270e426e2a389c78ed9f48a0616f6a69ef4e
RedLineStealer
beef9882631d740d3cabb7ce14f299c1fc0e47e6cef65ff7e023ac4437d067f2
RedLineStealer
d8ed5b288ac2b5f908d544a8837d20a5c30464e1f0d980c9c2b974533c9d1e35
RedLineStealer
e87c87c4a26902bc8bbd9993162a98bfb67bb20f9b06cfc0084f5301bec9b816
RedLineStealer
ec835c15a9000e86553ebd1ec3a1cabee067cde9683b526e5dd09a276e1cd50a
RedLineStealer
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
RedLineStealer
+ 770 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210602-jnea7pwybe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
49.12.42.196:12598
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32fae971a0e5dac6c60827e5376a689d65832e56181f96dab9b0d15c606d0ed9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 32fae971a0e5dac6c60827e5376a689d65832e56181f96dab9b0d15c606d0ed9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1300624/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164022/

Comments