MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8e821c5e9dee0feb7bea1a74483273f908cfedfc17a20b99f553a8d4e450fe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	b8e821c5e9dee0feb7bea1a74483273f908cfedfc17a20b99f553a8d4e450fe3
SHA3-384 hash:	203a31e7705071c5685a5061a48fccd3c63321cff4b167c4195b9dd0877dd8668c46ba0d5b455a8511e028be39eca0e2
SHA1 hash:	20b53b6dd9a79fdf4a7e20e5d31cd5df49993f12
MD5 hash:	c41f8eb665d766d8be5bc394590a96d9
humanhash:	nitrogen-spaghetti-carbon-nevada
File name:	c41f8eb665d766d8be5bc394590a96d9.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	389'632 bytes
First seen:	2021-06-02 17:26:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c79d21a18d2d983f887085ba949c12f3 (5 x Smoke Loader, 4 x RedLineStealer, 4 x RaccoonStealer)
ssdeep	6144:rzf5x6seMvI9UvBrk4Lnv5cRcXR1X300OydBB10xVrEEotJVntyC:rzf5xRDw9srk4rhckR1XE/rxV09n
Threatray	627 similar samples on MalwareBazaar
TLSH	73849E10B790D034F1B335B45AB792BDA62E7DE1EB2450CB62D4AAEA57346E0EC31707
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.17:18597

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.17:18597	https://threatfox.abuse.ch/ioc/69455/

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3276ce9f8cfc9936a3da9743bf081c49.exe

Verdict:

Malicious activity

Analysis date:

2021-06-02 14:04:13 UTC

Tags:

evasion trojan rat redline

Link:

https://app.any.run/tasks/02089da8-a728-4e6a-b458-e6cedc763350

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/164130/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Connection attempt to an infection source

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/796245

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b8e821c5e9dee0feb7bea1a74483273f908cfedfc17a20b99f553a8d4e450fe3/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-06-02 17:27:07 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xducdrpj33qp5n56ugtujazhh6iiz7w7yf5cbom7ku5i2tsfb7rq._file

Verdict:

malicious

RedLineStealer

41a0df72651937574df4ef7141fc5153285a7fda23fc7db8f7772849ace8cfa9

RedLineStealer

4e557a2a8db727d6fbbdd785311d8d6b87e978c6460a452cc1d574ec135c964e

RedLineStealer

53b2685160ff1bf7e8fc24ebdd1c0fe4615dfe0fd2bcfd86e6b3cd8bcd9cf7ba

RedLineStealer

648b643daee7a85674fc74673b723da1f964474b4634ab96fe3b936c0f111a06

RedLineStealer

87686e5d836a7761ce31744a990c6229266695e7462a5d88f31b2a8ffe748e4a

RedLineStealer

8a001e68155b0e818b07d99d13f3efae5fabe5a86d949514a8f854e8afcde51f

RedLineStealer

97ff8445e59555cb43bde18013c9c0d9f925edbce22fc659a71ff339aa0e5f36

RedLineStealer

d460839a01093007c634bbca24ac143244b9f6d2b4943ea9aa292600884836ce

RedLineStealer

f7ea23624ff9f805903ce10cd0bbeab9795b6610f28edc15b5d235ed339101d5

RedLineStealer

+ 617 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 02.06 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210602-yh5gjqqp66/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:18597

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b8e821c5e9dee0feb7bea1a74483273f908cfedfc17a20b99f553a8d4e450fe3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.