MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 3 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
SHA3-384 hash: c917b147c49ac31329ee7446820a647f357c94c54782645ac49f8d845a34bfc01ae98515ffe6283251ce0bd0bfe34858
SHA1 hash: 82119534bf1f452e9c98352577075073c671da59
MD5 hash: 6803ee8f500080b6a72a7e391bc4778e
humanhash: sierra-sierra-missouri-stairway
File name:6803ee8f500080b6a72a7e391bc4778e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:393'728 bytes
First seen:2021-06-10 23:22:01 UTC
Last seen:2021-06-10 23:45:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 74556c3d2d30d4b65eb21185fd13000f (2 x RaccoonStealer, 2 x DanaBot, 1 x CryptBot)
ssdeep 12288:ZMIVwTCJkvB+FBOEWm4l6KIqadh7ENpd:Z9Vd65+aEWHva77kd
Threatray 1'478 similar samples on MalwareBazaar
TLSH BB847D10B7A0C039F6F366F44EB952B8A53A7AE1672491CF52D52AFE57346E0AC31307
Reporter zbetcheckin
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.246.145.4:80 https://threatfox.abuse.ch/ioc/85644/
http://morsen04.top/index.php https://threatfox.abuse.ch/ioc/85864/
http://olmyad42.top/index.php https://threatfox.abuse.ch/ioc/85865/

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6803ee8f500080b6a72a7e391bc4778e
Verdict:
Malicious activity
Analysis date:
2021-06-10 23:24:18 UTC
Tags:
trojan loader
Link:
https://app.any.run/tasks/9ac1757b-2e52-4c0b-b3d0-c4d8032cd6ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165978/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37077363.4761.1750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/800565
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-10 19:23:50 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
30 of 46 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g5ydbnbrdsdk37n2wotckqam72xafchxdo3kguyo2arkt74hwbha._file
Verdict:
malicious
Similar samples:
17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e
RedLineStealer
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448
RedLineStealer
3411ffa29608d19dc77f53571010425fc94abd5dac92d6c2abffab6eb468c0ea
RedLineStealer
463a368c85c49254ec2a84f7a042c3ec68353b7e0280ba464701ca13a7391c5b
RedLineStealer
62d42586d48418b0fee5bd7705bb05eb6a2db50327e7b69f2a3f35eb57e80c1b
RedLineStealer
c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4
RedLineStealer
c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72
RedLineStealer
dab1943418275fa0a684702d291fa2fd693bebc19b99f7af9ad8dc3dd0a47cb5
RedLineStealer
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
RedLineStealer
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
RedLineStealer
+ 1'468 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar stealer
Link:
https://tria.ge/reports/210610-twr84nwxvx/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Vidar Stealer
Vidar
Unpacked files
SH256 hash:
f2c40ac86d73a6c1183fed1ad7276bff2a7cf9c36d4f6a4fd0e1b93978771ffb
MD5 hash:
d18508f886636691510ead36dd5f5f7c
SHA1 hash:
ab85bf7924589df3b802899cfffdeda4a1965a4a
Link:
https://www.unpac.me/results/150ed356-35de-4b9d-80b8-4c5feb59a375/
SH256 hash:
377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
MD5 hash:
6803ee8f500080b6a72a7e391bc4778e
SHA1 hash:
82119534bf1f452e9c98352577075073c671da59
Link:
https://www.unpac.me/results/150ed356-35de-4b9d-80b8-4c5feb59a375/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1351560/
Cape
Cape
https://www.capesandbox.com/analysis/165978/

Comments