MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
SHA3-384 hash: 4b3a76e73d9282c623d21f5ffcd279125dbfee14a2a11078ac8f8f12b81600588c88ec17813056dc2b7b77476a106a6f
SHA1 hash: 3c6b70ab854cc46448b55d8a057698c4568a85e2
MD5 hash: ec1105be312fd184ffc9d7f272d64b87
humanhash: north-avocado-bakerloo-arkansas
File name:SecuriteInfo.com.generic.ml.1574.24425
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:94'424 bytes
First seen:2021-12-18 05:37:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 1536:O/T2X/jN2vxZz0DTHUpouMJbL7xE+1nkhA1gq5iAYFh7z1N60m5fLsP/DsSTH:ObG7N2kDTHUpouMJbL7PaWRuNs0m5fLW
Threatray 8'287 similar samples on MalwareBazaar
TLSH T12293D0109770C823E4B34A3129757B67AFFD952122718F4B03205A5D7DB32D2AA1FBB6
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:RYGDKNING
Issuer:RYGDKNING
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-16T20:57:29Z
Valid to:2022-12-16T20:57:29Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 1b679c60f3abe239350a372a3ab2a522d55dcb160fb18fb8ca2b9ac1da2e2af6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.generic.ml.1574.24425.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
DNS request
Creating a window
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2440/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61bd73c04ab5c44cbf477a37/reports/1f3a579e-0d77-4913-adcd-6fa97a309642/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3615c04e-f514-483e-897e-916cb0c4bcda
Result
Threat name:
GuLoader RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909438
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected GuLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5/
Threat name:
Win32.Trojan.Shelsy
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 17:35:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
RedLineStealer
18a991ca66e5a2f3ba4b92dd18171eaa5f7306b8cd7d9aa461e4aaef158e7b5c
RedLineStealer
395a803ba3e091e6ac2629c5591e6cd874f68332a436287d0121f5f21b3524e6
RedLineStealer
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
RedLineStealer
5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96
RedLineStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RedLineStealer
780426de24ae46f300fdaf9cbf597c8f2164f7b6c525c0bbcc07dca087be768c
RedLineStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RedLineStealer
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
RedLineStealer
f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041
RedLineStealer
+ 8'277 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:redline botnet:private_3 discovery downloader infostealer spyware stealer suricata
Link:
https://tria.ge/reports/211218-gbqf8afcfk/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
RedLine
RedLine Payload
suricata: ET MALWARE Generic .bin download from Dotted Quad
Malware Config
C2 Extraction:
194.26.229.202:18758
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/c07daef7-06f9-437e-b90a-7e434ba262d6/
SH256 hash:
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
MD5 hash:
ec1105be312fd184ffc9d7f272d64b87
SHA1 hash:
3c6b70ab854cc46448b55d8a057698c4568a85e2
Link:
https://www.unpac.me/results/c07daef7-06f9-437e-b90a-7e434ba262d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1894641/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214932/

Comments