MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs 2 YARA File information Comments

SHA256 hash:	d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
SHA3-384 hash:	c7f7d56025e00cff859c8de0d87033419c05e3f323a0ce6b5cd9e3176eba299fb06041f3597dbfc4570cfed65b37cf6f
SHA1 hash:	bb82e4b856cd4377c54385c3f4043d4812feecac
MD5 hash:	51371dbf2fc65b20b510061144233c26
humanhash:	shade-carolina-cold-missouri
File name:	51371DBF2FC65B20B510061144233C26.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'829'183 bytes
First seen:	2021-06-17 20:50:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep	49152:WC2lJmXbj5DIwbQea1LPEyK7r385JD3d6cIWhm:WzlkbFDVrQMyOr3S3d6cLhm
Threatray	3 similar samples on MalwareBazaar
TLSH	E2851203B293C072D49901B505658BB64F3A7C319775D0F7AFD13AAA9D703E29B3638A
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
162.55.170.54:29785

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
162.55.170.54:29785	https://threatfox.abuse.ch/ioc/131101/
http://159.69.20.131/	https://threatfox.abuse.ch/ioc/135617/

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

51371DBF2FC65B20B510061144233C26.exe

Verdict:

No threats detected

Analysis date:

2021-06-17 21:00:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c55ccf80-334d-4d86-971e-59b1053e7dad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/166647/

Detection(s):

PUA.Win.Packer.Upolyx-12

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed241385-d26b-4338-b24c-05cee1ecce25

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/803956

Signature

Antivirus / Scanner detection for submitted sample

Connects to a pastebin service (likely for C&C)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a/

Threat name:

Win32.Trojan.Bingoml

Status:

Malicious

First seen:

2021-06-15 02:11:32 UTC

AV detection:

17 of 46 (36.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2pehxpjbegkyyw7lebzytgopdvutqi35sl6zrum3uc62f3754jna._file

Verdict:

unknown

RedLineStealer

47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663

RedLineStealer

5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee

RedLineStealer

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/210617-2dxqtdyvy6/

Behaviour

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

UPX packed file

Unpacked files

SH256 hash:

490f8dd6df28b7edf16244cd4cf831bc658e0ccf305d7cbf40e9da02333ec7d7

MD5 hash:

805d106dbdb1c733b684784cc033b284

SHA1 hash:

f843936248d9059cc4a9ddc69d8f101091cd30bd

Link:

https://www.unpac.me/results/015e30a2-5151-457c-9e1f-52347e294e8f/

SH256 hash:

c3f051fdc89bba65156a1f0b0c6bcd9dd7950ff851ed8338e842ad1d89534c48

MD5 hash:

6e8174db90c85a6c871510c2ec49c3f9

SHA1 hash:

01d1ea3fceaae1eef1034e230c1924eba645a7ee

Link:

https://www.unpac.me/results/015e30a2-5151-457c-9e1f-52347e294e8f/

SH256 hash:

d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a

MD5 hash:

51371dbf2fc65b20b510061144233c26

SHA1 hash:

bb82e4b856cd4377c54385c3f4043d4812feecac

Link:

https://www.unpac.me/results/015e30a2-5151-457c-9e1f-52347e294e8f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/166647/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample