MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66a38cc4c3d771280b087ca859dfb95644588421f633e83abab7cd4e4169003f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	66a38cc4c3d771280b087ca859dfb95644588421f633e83abab7cd4e4169003f
SHA3-384 hash:	820233d759c7135bab4273da6ab3fc252479a1a08eb67451f92d14e72de72d8e8b2f3b047f82a0dc139b5df66a5b89f3
SHA1 hash:	2960a6034785807bfc7d2187bc43f54021a0c34b
MD5 hash:	c679976e64da2051c01b750587c2786d
humanhash:	saturn-sad-pennsylvania-network
File name:	c679976e64da2051c01b750587c2786d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	330'240 bytes
First seen:	2021-03-31 12:55:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baf6552e1c7923d039841ba11b7a0d4e (4 x RedLineStealer, 1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	6144:Ddccoxqq6LtFyxdlLhcTUUoHytTB0BhUQnjtOQ2X7rDXQCieMSn:Kco8q6yxdxhMEH2wwjrrDApeM
Threatray	687 similar samples on MalwareBazaar
TLSH	5E64E000B1D1C473D29A15790461C6A14A3AFCB19F75A6C73B903F7A9E3A3E18A37397
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://lordliness.store:40355/

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c679976e64da2051c01b750587c2786d.exe

Verdict:

Malicious activity

Analysis date:

2021-03-31 13:03:39 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/47e3aee5-28e3-4f4e-b0ee-129987266872

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/129286/

Detection(s):

SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Connection attempt

Sending an HTTP POST request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/660300

Signature

Antivirus detection for URL or domain

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66a38cc4c3d771280b087ca859dfb95644588421f633e83abab7cd4e4169003f/

Threat name:

Win32.Trojan.Ranumbot

Status:

Malicious

First seen:

2021-03-31 12:56:18 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m2ryzrgd25ysqcyipsuftx5zkzcfrbbb6yz6qov2w7gu4qljaa7q._file

Verdict:

malicious

RedLineStealer

3a77d697b35b9de741ac611c904aca942a17d4ac8f786f4f9b9532dec277a8f6

RedLineStealer

60178061acaeacc7a85a1cf1a9f38b4a4b4757e7b117b824a646d12ffd67c6d5

RedLineStealer

807e65fc407c3d9f024b10e8cfb20c2e10ad067aa217fe97ec1b075c24dbc936

RedLineStealer

b3c2ed1edebee42767277652dbdb2c3c17c3b33707c975b1679e956658701825

RedLineStealer

becdbee6d455ccb06b479bd087b75e1d0057ad67d6ba0bac88e70decea123272

RedLineStealer

bef5636daa6cccce3b38d8d284de1cb1ad2cfb36cbcaede1c8f7478e706f1201

RedLineStealer

c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c

RedLineStealer

cca7603860e679057bcb934a4bd7cf7b62ba96355cf7c367e2e50cbc6664253f

RedLineStealer

ce5bcaea5743241940863029bac94171057d34ad93faa432f158b0c1e50ecf02

RedLineStealer

+ 677 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210331-z66crbgvw2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

RedLine

Unpacked files

SH256 hash:

1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9

MD5 hash:

78a535422e2f6ee38d23303739633df4

SHA1 hash:

a79eb74129aaa63ca4175bad850510667e876255

Link:

https://www.unpac.me/results/6903331a-94bd-4399-a653-3604d6ff3ede/

SH256 hash:

bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630

MD5 hash:

71705e85f8748ca46e31537e62e19037

SHA1 hash:

4f2b3ee4cf0809016c4a9f6958ec752067d838cd

Link:

https://www.unpac.me/results/6903331a-94bd-4399-a653-3604d6ff3ede/

SH256 hash:

aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848

MD5 hash:

c61ed3bf3203c28408a6b58a338b0b07

SHA1 hash:

1eafb1e9511440ba36ba0f05d3fe0f076805fd75

Link:

https://www.unpac.me/results/6903331a-94bd-4399-a653-3604d6ff3ede/

SH256 hash:

66a38cc4c3d771280b087ca859dfb95644588421f633e83abab7cd4e4169003f

MD5 hash:

c679976e64da2051c01b750587c2786d

SHA1 hash:

2960a6034785807bfc7d2187bc43f54021a0c34b

Link:

https://www.unpac.me/results/6903331a-94bd-4399-a653-3604d6ff3ede/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66a38cc4c3d771280b087ca859dfb95644588421f633e83abab7cd4e4169003f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.