MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3c1dd3fdd132fc6a0e72c7063b932de521e58c37ee74ef83a5f1e496f3169af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	c3c1dd3fdd132fc6a0e72c7063b932de521e58c37ee74ef83a5f1e496f3169af
SHA3-384 hash:	b641a9c4adb4f58254f27a0924fd0ec09645905d99db464e60e1ea77bce55e83d75ae3a4847ce012392d1c89e5fce5ce
SHA1 hash:	d380156be02fe906ada526c6b7e35507a8361627
MD5 hash:	73ae7984eb9cf342281a8435684602f2
humanhash:	sink-crazy-wisconsin-oxygen
File name:	73ae7984eb9cf342281a8435684602f2.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	316'416 bytes
First seen:	2021-04-03 06:24:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e279fa9dae08ebab331f6281850baea5 (1 x RedLineStealer)
ssdeep	6144:fVYRqwhFTv9mPt1//kuZSp0BUdRi0h2E/EVt0bA:iRXFTvGZg0mz4E/ER
Threatray	625 similar samples on MalwareBazaar
TLSH	7964F11171D0C833E11216788C7AD2B5463AF8B55F759AC7BBD02BBA5F223D24E32396
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

73ae7984eb9cf342281a8435684602f2.exe

Verdict:

No threats detected

Analysis date:

2021-04-03 06:29:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f69df65d-8f7e-4582-8394-a3b837ada784

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/131952/

Detection(s):

SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd7649db-30be-4ece-8eb7-c32589f67a93

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/664545

Signature

Antivirus detection for URL or domain

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c3c1dd3fdd132fc6a0e72c7063b932de521e58c37ee74ef83a5f1e496f3169af/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-04-03 02:43:00 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ypa52p65cmx4nihhfryghojs3zjb4wgdp3tu56b2l4pes3zrngxq._file

Verdict:

malicious

RedLineStealer

24c6a342ebad96c85df3bf4318a0df5a42e27647657157ee5f9ab0b4ba051e10

RedLineStealer

2ef6afecb494476934f9883dc80c2e112d71ef9aea1d27f3ee268a946d57f0ed

RedLineStealer

547a657aafef619da86801e51e88c7330962984b479eb662f4b323c7ba1911c6

RedLineStealer

83f9b6d6a511c4cae8cb49a92fd18a6333067c50bc1ace0c00324c4af27887e0

RedLineStealer

8d50c214c28a02f115f41150f829eee4be5a8ab43d9c3f59c8159d485c96475a

RedLineStealer

c252253deb8ce68d6c44f555d2ce707f7581dc7267f5d6a892a626469691ef9f

RedLineStealer

d1413e28da1395166d0b510e83b9da3e510aa6ccaeb47f12681d94b0cd24e699

RedLineStealer

da5f87ea1b0e0f4307378a7f4d7fe7077447be8123d9230d2a706bff4029c5a7

RedLineStealer

e2a3a134421c597d262a080f13c3bed0d7c8c605d8c6472bc8fc490e742ce44d

RedLineStealer

+ 615 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:3424565 infostealer

Link:

https://tria.ge/reports/210403-6gwxqf4j36/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

lordliness.store:40355
razorless-shaving.store:40355
fugicarfc8.store:40355

Unpacked files

SH256 hash:

1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9

MD5 hash:

78a535422e2f6ee38d23303739633df4

SHA1 hash:

a79eb74129aaa63ca4175bad850510667e876255

Link:

https://www.unpac.me/results/2fdcb916-fa59-448b-8c56-4eb46a33c4a5/

SH256 hash:

bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630

MD5 hash:

71705e85f8748ca46e31537e62e19037

SHA1 hash:

4f2b3ee4cf0809016c4a9f6958ec752067d838cd

Link:

https://www.unpac.me/results/2fdcb916-fa59-448b-8c56-4eb46a33c4a5/

SH256 hash:

aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848

MD5 hash:

c61ed3bf3203c28408a6b58a338b0b07

SHA1 hash:

1eafb1e9511440ba36ba0f05d3fe0f076805fd75

Link:

https://www.unpac.me/results/2fdcb916-fa59-448b-8c56-4eb46a33c4a5/

SH256 hash:

c3c1dd3fdd132fc6a0e72c7063b932de521e58c37ee74ef83a5f1e496f3169af

MD5 hash:

73ae7984eb9cf342281a8435684602f2

SHA1 hash:

d380156be02fe906ada526c6b7e35507a8361627

Link:

https://www.unpac.me/results/2fdcb916-fa59-448b-8c56-4eb46a33c4a5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c3c1dd3fdd132fc6a0e72c7063b932de521e58c37ee74ef83a5f1e496f3169af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.