MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 381f46ccd38428d37da5ef3930b7b43dacfcebaad1d9e57b997d0f6af89fdef3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	381f46ccd38428d37da5ef3930b7b43dacfcebaad1d9e57b997d0f6af89fdef3
SHA3-384 hash:	25ba13dd0a971563f00509d0984bc53f568b77eb13fff85ef1bd6cd66b2965db87feebf95cfd784fdb79dc4397d03487
SHA1 hash:	03e081c8a1f8e2d16c56b077f8b40203fe1a79a5
MD5 hash:	68031f32eb2db9f3e5eba5be7cf69418
humanhash:	alabama-ack-may-snake
File name:	68031F32EB2DB9F3E5EBA5BE7CF69418.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	363'688 bytes
First seen:	2021-06-22 01:06:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f8b8681fdae7ff6c00298505c40cf976 (4 x RedLineStealer, 1 x CryptBot)
ssdeep	6144:svunRZHTGrX28sbhT9BRrupAcfD253B9fOkAyaZU/h:svunRlGrGzAy3BVOkA1U
Threatray	2'174 similar samples on MalwareBazaar
TLSH	5074AE20A7A0C034F5B326B45BB593B9A53D7AB06B7890CF52D626EE57346E0EC30357
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
82.146.63.219:3014

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
82.146.63.219:3014	https://threatfox.abuse.ch/ioc/139722/

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

68031F32EB2DB9F3E5EBA5BE7CF69418.exe

Verdict:

Malicious activity

Analysis date:

2021-06-22 01:07:26 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/21aa2633-cd30-4a0c-aa18-192ed89475d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/167414/

Detection(s):

Win.Malware.Pwsx-9872132-0

Win.Dropper.Bandook-9871783-1

Win.Malware.Generic-9872318-0

Win.Malware.Redline-9872451-1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

FickerStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aece80af-c50f-4d71-89cd-6562a2d3f9ff

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/805683

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/381f46ccd38428d37da5ef3930b7b43dacfcebaad1d9e57b997d0f6af89fdef3/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-06-21 04:06:00 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hapuntgtqqung7nf544tbn5uhwwpz25k2hm6k64zpuhwv6e733zq._file

Verdict:

malicious

RedLineStealer

32fae971a0e5dac6c60827e5376a689d65832e56181f96dab9b0d15c606d0ed9

RedLineStealer

34c3d185dc61472fccfc4b49d646ccca9d057596dc8947e62773ca63205ef67b

RedLineStealer

56f683b812bfe9dd8a694b34cef3c8759d96a26bddc05b77dfe757494add4a39

RedLineStealer

58dfb8bfa6f4a19288bbc16597a8bbeaec6b35c62d6336c4084478ea0a74112c

RedLineStealer

69c0a77de39fbf7cc3dfcdd29ba803f0aec498175091594c12a3341e05e32914

RedLineStealer

7a33691830a6c01f3a56366f6b4530532c7de80b550e2b69ba6d797682de9e47

RedLineStealer

9c57d0fc5a49debe9dbb49bfebe011bcf249542f6bbd4eefd41c75c3b5ff7d51

RedLineStealer

e87c87c4a26902bc8bbd9993162a98bfb67bb20f9b06cfc0084f5301bec9b816

RedLineStealer

eeafeaa06f77c3fcedafcf46dcb18a8c0b931dcb4696319bb94b191eb0c9417a

RedLineStealer

+ 2'164 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210622-4r5sbkhdbn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

c995908592899f84ad52338cdb25228649d28a396a7088e7b60dd623e551781f

MD5 hash:

778ca3b1618dd54a4810272c84a9e2b8

SHA1 hash:

8cd3c4783efb4b23c516e0d22d525bcf46f5c133

Link:

https://www.unpac.me/results/29c57c56-422b-4d13-b949-e39bdd631e7d/

SH256 hash:

11f2a984aa73ea176fa670c419073758eec7e4bd3d6d35e0879966656da63700

MD5 hash:

3e28612458200afe6d818abfcc716ff9

SHA1 hash:

6a467d4d958a28e211ab291e0d52337ef339b2dd

Link:

https://www.unpac.me/results/29c57c56-422b-4d13-b949-e39bdd631e7d/

SH256 hash:

bd27cbc74671ebbb060adbc2063ad866debd3bab4cb0b3b0610af58d8b439276

MD5 hash:

66602f3d434601efeea06ef4b53bdae0

SHA1 hash:

1b6b3413aca43dfde329c3bda4c14c11637faa72

Link:

https://www.unpac.me/results/29c57c56-422b-4d13-b949-e39bdd631e7d/

SH256 hash:

381f46ccd38428d37da5ef3930b7b43dacfcebaad1d9e57b997d0f6af89fdef3

MD5 hash:

68031f32eb2db9f3e5eba5be7cf69418

SHA1 hash:

03e081c8a1f8e2d16c56b077f8b40203fe1a79a5

Link:

https://www.unpac.me/results/29c57c56-422b-4d13-b949-e39bdd631e7d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/381f46ccd38428d37da5ef3930b7b43dacfcebaad1d9e57b997d0f6af89fdef3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/167414/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample