MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39b1072b1ee46585dba3bd084fd4a076153537660764a9c3759317d73dbfb425. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39b1072b1ee46585dba3bd084fd4a076153537660764a9c3759317d73dbfb425
SHA3-384 hash: c1e5cebc3d5a7606a913b3969923649a0d9ea68c8339eecd0d8ff6c3390814f7983e01f812f16ac63310b53b6e2b7293
SHA1 hash: b0dc7f8b50ee243d6a68bd205bf9cbfe0a36a4ed
MD5 hash: ea6c614c0cd9cc9bdc0d7ef674081438
humanhash: sad-magnesium-leopard-double
File name:ea6c614c0cd9cc9bdc0d7ef674081438
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:288'256 bytes
First seen:2021-07-06 10:23:18 UTC
Last seen:2021-07-06 10:51:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cdab0fef7b5479a045b4ff0657b0733b (2 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 3072:PqH9rNsDFcfBbydjim2NUc1Ko6OeqRo1/Fqemi5mHprqyRlG5YFmDl:YEF+BbMimc1MG61/Uej5mHprqmW
Threatray 3'083 similar samples on MalwareBazaar
TLSH 9554E0113A50C833C07A04349A24D7F1AB3FBD726965C54BB7A53F6F6F3128256BA326
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d6
Verdict:
Malicious activity
Analysis date:
2021-07-06 04:39:05 UTC
Tags:
trojan loader evasion rat redline stealer raccoon
Link:
https://app.any.run/tasks/aa5176f8-ccb9-41d3-8f6f-218c0b1fb451

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169934/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.76250.18489.15854.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0dfc2398-5350-4530-9d6d-c7875f6ace6f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812200
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39b1072b1ee46585dba3bd084fd4a076153537660764a9c3759317d73dbfb425/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 20:31:18 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgyqoky64rsylw5dxuee7vfaoyktkn3ga5sktq3vsml5opn7wqsq._file
Verdict:
malicious
Similar samples:
0ffa9641556c11890735aba122f4ebf94370fb4aab8c613f5025df7559214f51
RedLineStealer
3666dd8e3ce14a3b7273c405f7318402f3c2d203104966f326c3d93ee0d0570a
RedLineStealer
475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2
RedLineStealer
65f5e70174b24bd7ecb1072e1b7e0f73648c75ddb40ee194210175c2a25f7c9c
RedLineStealer
9f3059cd216e4310893b76812fac2bd3b203a592e5604347472b71ada0150855
RedLineStealer
b479768bf30303be4d80d2ec21ea1a5cb116307e7c637a562b28c019acd515fa
RedLineStealer
b666325729d0aa8e49292441558e945d0075439d6e6a544181fe708864835383
RedLineStealer
d116dbae8aeba92891801d5884f81b41a2dfc15bb48b3425da735fed59c0c6a0
RedLineStealer
ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5
RedLineStealer
f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041
RedLineStealer
+ 3'073 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix 06.07 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210706-w7ralt6aej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.17:18597
Unpacked files
SH256 hash:
f3f895360d8754176eaa64b9077be5ad442a0493a30930116ed5202443c5d7cf
MD5 hash:
2f7f9eb1862c3b99ea620415cacc800b
SHA1 hash:
454f1aadc668da04a985d0cad1c07f39d557f861
Link:
https://www.unpac.me/results/dca43873-882f-4c21-b50e-5b4bfd6f0426/
SH256 hash:
89d0369f4d9c85a6a584eba79d6b2c55d8a2b20101cb1df824c94392a70017a9
MD5 hash:
b68939fc568c63e5cdd068fe0723dc62
SHA1 hash:
38b8ddd9ad89da413fb94364fb865138197b5eff
Link:
https://www.unpac.me/results/dca43873-882f-4c21-b50e-5b4bfd6f0426/
SH256 hash:
24452699555e0d9202c6b0114b83c6b8a139b189144ffb62eb3a5d0a14e1c1c0
MD5 hash:
54e6006ff6ffe6da2d6a23463194679d
SHA1 hash:
23c2a520786fd71510fe41dee18a5842f4907a1c
Link:
https://www.unpac.me/results/dca43873-882f-4c21-b50e-5b4bfd6f0426/
SH256 hash:
39b1072b1ee46585dba3bd084fd4a076153537660764a9c3759317d73dbfb425
MD5 hash:
ea6c614c0cd9cc9bdc0d7ef674081438
SHA1 hash:
b0dc7f8b50ee243d6a68bd205bf9cbfe0a36a4ed
Link:
https://www.unpac.me/results/dca43873-882f-4c21-b50e-5b4bfd6f0426/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39b1072b1ee46585dba3bd084fd4a076153537660764a9c3759317d73dbfb425

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 39b1072b1ee46585dba3bd084fd4a076153537660764a9c3759317d73dbfb425

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1261248/
Cape
Cape
https://www.capesandbox.com/analysis/169934/

Comments


Avatar
zbet commented on 2021-07-06 10:23:20 UTC

url : hxxp://nailedpizza.top/bestof/mixx.exe