MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 340faf52d0d5a1be59ae58a7adc8f2af901275c43902d179ebbc8b427fcfec48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	340faf52d0d5a1be59ae58a7adc8f2af901275c43902d179ebbc8b427fcfec48
SHA3-384 hash:	33c39bd975f42875e2f223f4f1f326890efec689a4b85546204c8d97257a3239c4737d19988546916bb2923a882e271a
SHA1 hash:	49ce459d876df9d441f4f164f8a0faeae8a90d16
MD5 hash:	8fc43536dbf3d99b96a56c0bca1d68c1
humanhash:	tennis-december-nuts-mike
File name:	8fc43536dbf3d99b96a56c0bca1d68c1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	592'384 bytes
First seen:	2020-12-09 18:57:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	922e7523720750b7f2fcaf6daf8f01ec (1 x RedLineStealer)
ssdeep	12288:IVsSJWVflPBMeNUjjEsKZ6dfd7veNZdJpV3vZ2cLfosJchzRY:IjW/BMoi4ZwJ2NZXL3vZmsmhNY
Threatray	166 similar samples on MalwareBazaar
TLSH	02C402127693C077DA7A16B54826D7A49E33B872473251C73BE09B796F307E18B36382
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://dovakl.xyz/IRemotePanel

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/107544/

Detection(s):

Win.Packed.Generic-9803867-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/559504

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Evader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/340faf52d0d5a1be59ae58a7adc8f2af901275c43902d179ebbc8b427fcfec48/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-12-08 03:03:18 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gqh26uwq2wq34wnolct23shsv6ibe5oehebnc6plxsfue76p5rea._file

Verdict:

suspicious

RedLineStealer

1e2d9254c50c83736eaad6c2ec1bf8cb1c12c1940493e64c09c1826320d00ac4

RedLineStealer

202d6e7fc1f86f21bd9d35feba81b947f527879afbb5972b51c949099c0dbf28

RedLineStealer

25b7bd68f5e5e2525b54126984aaa374b3602d8b5530f72fd74cc57a5e1212fa

RedLineStealer

40e054c5c315d144c46e4caab2eb10d61f71c8f3cb97a85e81b96ce6a306463d

RedLineStealer

eb35eab33a6dab54757b557fc27da8700f3ae5c99ad23fb1e91c69f6fdcb4ac6

RedLineStealer

ecb53a7ce5cee882173fe57203d1059caab774b7e08d57d43f1f47bb6b160f9e

RedLineStealer

ee9d9465f960e3d9dc344b9663653b9d6f2ed072586b183124f27d3f902c31f5

RedLineStealer

f272416d8cc43a319811db7fc8f6ac087785e2a3b173ecfe573b725952dd430f

RedLineStealer

fea8616efde9154a348142869f52bfa2731c8f299973c131909879270350e6d7

RedLineStealer

+ 156 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/201209-kehskypa1n/

Behaviour

Checks processor information in registry

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unpacked files

SH256 hash:

340faf52d0d5a1be59ae58a7adc8f2af901275c43902d179ebbc8b427fcfec48

MD5 hash:

8fc43536dbf3d99b96a56c0bca1d68c1

SHA1 hash:

49ce459d876df9d441f4f164f8a0faeae8a90d16

Link:

https://www.unpac.me/results/b84a4fe6-be3a-49e8-bb04-db68c60f724f/

SH256 hash:

bae9235b4a4f570d26c57cf9141af983ef89341cf8e4e2160dfba7c858ec0824

MD5 hash:

ec8bd49e126d2fc952358b5ec0b82768

SHA1 hash:

c09a933b188d7b15154c0b16efe389cff4b08fdc

Link:

https://www.unpac.me/results/b84a4fe6-be3a-49e8-bb04-db68c60f724f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/340faf52d0d5a1be59ae58a7adc8f2af901275c43902d179ebbc8b427fcfec48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	AutoIT_Script Create hunting rule
Author:	@bartblaze
Description:	Identifies AutoIT script.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_AHK_RedLine Create hunting rule
Author:	ditekshen
Description:	RedLine infostealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/107544/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample