MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f4001fd561fb0462d88c09f3be2c8cfc6810118c79066e1ec6956d43e18c643. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	8f4001fd561fb0462d88c09f3be2c8cfc6810118c79066e1ec6956d43e18c643
SHA3-384 hash:	6b7deba10cf1359009c5a1f1a3e9042a1ad9637bd675f17c520879c69a22023d532bcc82514f4c4b13b4bc34ee683d40
SHA1 hash:	0d12b7bf1f2037509f5c0302534f08c42f406ddf
MD5 hash:	a65c057ce64857391918ce8d449a158d
humanhash:	mirror-ceiling-missouri-one
File name:	a65c057ce64857391918ce8d449a158d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	400'896 bytes
First seen:	2021-06-20 02:50:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	866e8b0fa01ec6fd81db7579c1be52ae (3 x Stop, 1 x CryptBot, 1 x Smoke Loader)
ssdeep	6144:AUIBsCpuw3Adg9X0S5jPrLwBE8Sfh6UWDvfqySZTr9HrKafV6JCE:mBDpuwwdg9X0yPz15sfqySRR2SV4
Threatray	863 similar samples on MalwareBazaar
TLSH	6384AE10FA50C039F5F612F85ABA93B8A52D7AB0572850CF62E51AEE47346F1EC32357
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
176.121.14.43:53999

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
176.121.14.43:53999	https://threatfox.abuse.ch/ioc/136818/

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a65c057ce64857391918ce8d449a158d.exe

Verdict:

Malicious activity

Analysis date:

2021-06-20 02:51:25 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/773a4809-461e-48b0-a8bb-d68312f657e0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/167107/

Detection(s):

Win.Malware.Generic-9873005-0

Win.Packed.Generic-9873139-0

Win.Packed.Generic-9873141-0

Win.Packed.Generic-9873202-0

Win.Packed.Ransomx-9873351-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/948639c4-f9ee-4d0f-9c4a-3c2f119602b7

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/804817

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f4001fd561fb0462d88c09f3be2c8cfc6810118c79066e1ec6956d43e18c643/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-06-18 19:03:00 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=r5aad7kwd6yemlmiycptxywiz7dicaiyy6ignypmnflnipqyyzbq._file

Verdict:

malicious

RedLineStealer

2fb6bf1f605b4441037e7870f0060ad5e5bdcfd9b8ad065a42dc953be5c8d321

RedLineStealer

38be3ad05a6c425c48e00b37c6c98b2c8deba6f0183c87e512416f9c8e5f6434

RedLineStealer

43a38e0f15c22a94dec67acce84a2cbed685b8c58014ee4a432dad8f9e550a7f

RedLineStealer

475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2

RedLineStealer

63d9527d69c228772ebadb63c1e74d7d0702acac52357fcea08ec5a408ca0453

RedLineStealer

9f3059cd216e4310893b76812fac2bd3b203a592e5604347472b71ada0150855

RedLineStealer

a2b4c803b5bafe2e4428cf462bb78c177fcc0c04ca746a82608231bedc47c21f

RedLineStealer

af9417afddd1867732538ff369e917f68407906bef20dfb2e0b99ee8a04664cc

RedLineStealer

b479768bf30303be4d80d2ec21ea1a5cb116307e7c637a562b28c019acd515fa

RedLineStealer

+ 853 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210620-cjpsd5j7y2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

82286412aaacb90839c33c173e9f45421fae1cae2a36b0fa1bee45eddc6006a7

MD5 hash:

9d038784c6c0cdbdd9d3ffecdb22ccc7

SHA1 hash:

a3cdaebee46550fc32eca5e23f6bff5e3f8d8179

Link:

https://www.unpac.me/results/a01ff705-8ff3-4aaa-94e8-dc5cde4edbc4/

SH256 hash:

4d7dc5c07ec341f4bb923f25efcd77b782b576bd980fc33c7d3f9ad0d8e033a0

MD5 hash:

3bbdc75f879b00b0ebe7150d52677b24

SHA1 hash:

306e46901f654b193bcc3535fdeb674bc37141a5

Link:

https://www.unpac.me/results/a01ff705-8ff3-4aaa-94e8-dc5cde4edbc4/

SH256 hash:

99b2709db59ef6756412614a412fea87b51376d4c2bbd15a720c107665b0131e

MD5 hash:

d809d0f47a47fc4d630a89895b05aa29

SHA1 hash:

13042d0467cd99d485adcd00c60206929eaa11c5

Link:

https://www.unpac.me/results/a01ff705-8ff3-4aaa-94e8-dc5cde4edbc4/

SH256 hash:

8f4001fd561fb0462d88c09f3be2c8cfc6810118c79066e1ec6956d43e18c643

MD5 hash:

a65c057ce64857391918ce8d449a158d

SHA1 hash:

0d12b7bf1f2037509f5c0302534f08c42f406ddf

Link:

https://www.unpac.me/results/a01ff705-8ff3-4aaa-94e8-dc5cde4edbc4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8f4001fd561fb0462d88c09f3be2c8cfc6810118c79066e1ec6956d43e18c643

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/167107/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample