MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bec59f84c4d86172ce1bfdd8d2f43ab1e679155620852c13f44cfe5cd95a0fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 1 File information Comments

SHA256 hash:	3bec59f84c4d86172ce1bfdd8d2f43ab1e679155620852c13f44cfe5cd95a0fd
SHA3-384 hash:	a65ca43247b9cc08467346d7643e625e9e27ad7efe8e6ebf63e03ab5a2d8737fc7d7fd8c4aab54b60e73f91a7fef56d4
SHA1 hash:	e8875494406aa10c347edea47fa8e607194023e3
MD5 hash:	51cb4383518e4d2ca519ab6c8874fc4c
humanhash:	undress-uncle-fillet-glucose
File name:	51cb4383518e4d2ca519ab6c8874fc4c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	367'104 bytes
First seen:	2021-06-08 08:25:23 UTC
Last seen:	2021-06-08 08:35:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e6315bca50af7f968393b08f13900613 (1 x ArkeiStealer, 1 x TeamBot, 1 x RedLineStealer)
ssdeep	6144:zj5/mf0rvmVtp67WhIcxl+XKlAlooDdwe91OdosZJ8LmiFVP8AK9j:B/M0rvmVtpR6cxl+2AuoOeT0JNiP8
Threatray	2'751 similar samples on MalwareBazaar
TLSH	6374BF10A7A0C034F1F312F95AB692B9A53E7DB16724A0CF62D11AEE57746E0EC3174B
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
195.201.17.219:25524

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
195.201.17.219:25524	https://threatfox.abuse.ch/ioc/73619/

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

51cb4383518e4d2ca519ab6c8874fc4c.exe

Verdict:

No threats detected

Analysis date:

2021-06-08 08:28:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f2331180-c108-4e40-868f-0a6bc950f8a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/165245/

Detection(s):

SecuriteInfo.com.Troj.Kryptik-TR.25967.31957.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Connection attempt

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/798606

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3bec59f84c4d86172ce1bfdd8d2f43ab1e679155620852c13f44cfe5cd95a0fd/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-06-08 08:26:09 UTC

AV detection:

21 of 46 (45.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hpwft6cmjwdbolhbx7oy2l2dvmpgpekvmieffqj7ith6ltmvud6q._file

Verdict:

suspicious

RedLineStealer

42b653a004ebf20afd1797fa69fe13dc18c07281befd059d21c3f5f994b33723

RedLineStealer

45cfc2ce1e033a00c42202e16a7ba83229688d49d7776e175488c56aade45558

RedLineStealer

534bc099de916a0dfac65cc74e45482dd160f053d7100156f35cabeb53de123d

RedLineStealer

62d42586d48418b0fee5bd7705bb05eb6a2db50327e7b69f2a3f35eb57e80c1b

RedLineStealer

9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725

RedLineStealer

acd3e84a50002f93f4f6f3f98b4f0ec25e60889df8e0f15bfff55ddf089cb5c0

RedLineStealer

bdae4240709c06d733b9d67851a9d5f159102d145ab7f57ab689358a196916bf

RedLineStealer

e228070565b955ec46508c0115d70d07299a5db66ddca69b798bee43ee7aa603

RedLineStealer

eeeb63ae9b769764bd474d5367d3a0c4efaba149d355595de5be92fafe08de19

RedLineStealer

+ 2'741 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:kolya infostealer

Link:

https://tria.ge/reports/210608-5p2pwyj382/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

195.201.17.219:25524

Unpacked files

SH256 hash:

86d826f62b1b1bff87f273cbee8b9089d95fcf64cdc80ce5d7600deacabf6e2c

MD5 hash:

73af53d713b62ab9e602867193f7325d

SHA1 hash:

ff8fa1a4a46a6f55d8ead4a7b4b11d342cebe97c

Link:

https://www.unpac.me/results/982860c4-aa1d-485b-8694-ae574c658442/

SH256 hash:

7d2ab09de4823a18015ee864646f95bd7c58e2422bfa1da611b8816b05bad0f3

MD5 hash:

d4a294052760142bf86034200e4a5ce2

SHA1 hash:

8dd989b069140836c351638aec1d05f4ed311e24

Link:

https://www.unpac.me/results/982860c4-aa1d-485b-8694-ae574c658442/

SH256 hash:

07cb5dc6844a04b675636eb0d1e0f442f05b1cc652dc0c5766493a7d978fd21e

MD5 hash:

ad16e60352382104a5d87dd35101a345

SHA1 hash:

2d91245816b6fed01ff639e0ea91713a17fc1281

Link:

https://www.unpac.me/results/982860c4-aa1d-485b-8694-ae574c658442/

SH256 hash:

3bec59f84c4d86172ce1bfdd8d2f43ab1e679155620852c13f44cfe5cd95a0fd

MD5 hash:

51cb4383518e4d2ca519ab6c8874fc4c

SHA1 hash:

e8875494406aa10c347edea47fa8e607194023e3

Link:

https://www.unpac.me/results/982860c4-aa1d-485b-8694-ae574c658442/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3bec59f84c4d86172ce1bfdd8d2f43ab1e679155620852c13f44cfe5cd95a0fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.