MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9
SHA3-384 hash:	8f6dc90005d467efbf654341e8b81b38f6bdb6e52b807750bce500e40ff015bf3972e06ad1f0c9d360d7e4ee34c800ad
SHA1 hash:	24668ee2537bc9a1130a39a57a6905a3b2ef4542
MD5 hash:	84482ccc25d8732c2a33b2e731f53368
humanhash:	bluebird-coffee-pip-xray
File name:	84482ccc25d8732c2a33b2e731f53368.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	356'864 bytes
First seen:	2021-06-09 06:00:40 UTC
Last seen:	2021-06-09 06:50:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6b67c02601b2c0552b5d5c2fd43344bf (1 x RedLineStealer)
ssdeep	6144:P0qy7ZRO1WzS+GHeAPRwNBxcHZjbtNWtvFWoundc6sP:PLy7ZROIS+GHbZwNByHZlQtpBP
TLSH	79749E00A7B0C039F6F356F45B7692F8A93E79B1673490CF12D526EA5A34AE0AC31717
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

88951369824.exe

Verdict:

Malicious activity

Analysis date:

2021-06-09 02:10:56 UTC

Tags:

evasion trojan rat redline

Link:

https://app.any.run/tasks/e714f321-4654-427e-8eec-2eb7165d6969

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/165542/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37066186.13696.2442.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/799340

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-06-09 01:56:19 UTC

AV detection:

22 of 47 (46.81%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zdf4gtrtvqwskojszydwpklniynubzymbxa52dq2yodneyrsr6uq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 09.06 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210609-atagplk512/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

fa1dcbb9165c73955f6dea68b9b7ca877284951efcaf4d7acb80706e45918148

MD5 hash:

f236ea25a8674958cc07d2e340a3661f

SHA1 hash:

c8bc6b18165a1e0f16506cbd63c617967c704c7b

Link:

https://www.unpac.me/results/4960b44f-5961-4df3-8618-bd39ab4cff88/

SH256 hash:

1ff62a36a630b9016c3377e65cf4af7a0b65d33f1c3a4774807ed2de7757ab22

MD5 hash:

88bf4daac3fcd561d7640658c50f6613

SHA1 hash:

b9b8bed9c0cb2497c05ade3cfd7098cdd4f8a742

Link:

https://www.unpac.me/results/4960b44f-5961-4df3-8618-bd39ab4cff88/

SH256 hash:

45293618fe86782065e6f94eb9ed7ac4d6d6bbb6e19ddc05f073e403f5ab83fe

MD5 hash:

e452dfc6ad48ecf002b9e12546dae225

SHA1 hash:

09aa6abc3a081ea317295d2a2b53277fa683b001

Link:

https://www.unpac.me/results/4960b44f-5961-4df3-8618-bd39ab4cff88/

SH256 hash:

c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9

MD5 hash:

84482ccc25d8732c2a33b2e731f53368

SHA1 hash:

24668ee2537bc9a1130a39a57a6905a3b2ef4542

Link:

https://www.unpac.me/results/4960b44f-5961-4df3-8618-bd39ab4cff88/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.