MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1413e28da1395166d0b510e83b9da3e510aa6ccaeb47f12681d94b0cd24e699. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	d1413e28da1395166d0b510e83b9da3e510aa6ccaeb47f12681d94b0cd24e699
SHA3-384 hash:	fc96667bd5aea1e1a7e9c1ff735f375bceb9a681b32df20a1cac1b8de51f6ce82e70164ac3e1fb1b506bc4888609dfb5
SHA1 hash:	bc66f1390f53e1d1f367ff031ec9a78055a61f7c
MD5 hash:	8621103b4eb43e077bf228a3d65ce604
humanhash:	social-uniform-fish-sink
File name:	8621103b4eb43e077bf228a3d65ce604.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	316'416 bytes
First seen:	2021-04-02 18:08:36 UTC
Last seen:	2021-04-02 19:09:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2d5121f754e69d5634d8bc69d91f466d (1 x RedLineStealer)
ssdeep	6144:WrVeJ0GxYJGqIXAAPSus+4BWm7X5hcf5vV5:3J0InAAPSWmLMfxV5
Threatray	1'462 similar samples on MalwareBazaar
TLSH	8B64F10171D1C832E6961A7948A9C6F5463AFC310F2446CBB7C51BBE1F263E29E37396
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

224

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8621103b4eb43e077bf228a3d65ce604.exe

Verdict:

No threats detected

Analysis date:

2021-04-02 18:11:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1ed5c38c-c13a-4647-acb8-112d4585d6b9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/131835/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.29423.23052.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/885e21b3-ca98-4730-b522-d4cb35b5a838

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/664111

Signature

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d1413e28da1395166d0b510e83b9da3e510aa6ccaeb47f12681d94b0cd24e699/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-04-02 18:09:16 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2fat4kg2cokrm3ilkehihoo2hziqvjwmv22h6etidwklbtje42mq._file

Verdict:

malicious

RedLineStealer

0f32500a74e76831740141dfc69676b97a72f9f66da30dfa3aa8648b836373cf

RedLineStealer

310339bcc4c81ba2d5bd40e292b4855cf8c7d6345db36d5ab65c9bcea4dad35a

RedLineStealer

547a657aafef619da86801e51e88c7330962984b479eb662f4b323c7ba1911c6

RedLineStealer

5b39d7d6eae45df2f9e263a36b30a1ca32c4c5d80a923c0a2380098fb33d978f

RedLineStealer

806a388a4f41bb0fe29dfefb5f8748c7426967d24d6c61efe6b133edca31db12

RedLineStealer

83f9b6d6a511c4cae8cb49a92fd18a6333067c50bc1ace0c00324c4af27887e0

RedLineStealer

a05289cf515df671cc7a541ffc59fef3b7b2f0d69f676070a70eea0ec56cae19

RedLineStealer

c673a3b3d0b40ed2cbbf38346a2a2a68d40ea4b94ab5ecf41f3a965a1a48ab6b

RedLineStealer

e2a3a134421c597d262a080f13c3bed0d7c8c605d8c6472bc8fc490e742ce44d

RedLineStealer

+ 1'452 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:3424565 infostealer

Link:

https://tria.ge/reports/210402-n5vkjncxje/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

lordliness.store:40355
razorless-shaving.store:40355
fugicarfc8.store:40355

Unpacked files

SH256 hash:

1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9

MD5 hash:

78a535422e2f6ee38d23303739633df4

SHA1 hash:

a79eb74129aaa63ca4175bad850510667e876255

Link:

https://www.unpac.me/results/0265adf3-21ac-407b-936e-8abd10cab3a8/

SH256 hash:

bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630

MD5 hash:

71705e85f8748ca46e31537e62e19037

SHA1 hash:

4f2b3ee4cf0809016c4a9f6958ec752067d838cd

Link:

https://www.unpac.me/results/0265adf3-21ac-407b-936e-8abd10cab3a8/

SH256 hash:

aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848

MD5 hash:

c61ed3bf3203c28408a6b58a338b0b07

SHA1 hash:

1eafb1e9511440ba36ba0f05d3fe0f076805fd75

Link:

https://www.unpac.me/results/0265adf3-21ac-407b-936e-8abd10cab3a8/

SH256 hash:

d1413e28da1395166d0b510e83b9da3e510aa6ccaeb47f12681d94b0cd24e699

MD5 hash:

8621103b4eb43e077bf228a3d65ce604

SHA1 hash:

bc66f1390f53e1d1f367ff031ec9a78055a61f7c

Link:

https://www.unpac.me/results/0265adf3-21ac-407b-936e-8abd10cab3a8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d1413e28da1395166d0b510e83b9da3e510aa6ccaeb47f12681d94b0cd24e699

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.