MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5
SHA3-384 hash:	d2335a2da7ecb931eb0643f9838d7b008fd373430775a5467d1f84a31c961644000c2ed0a7b451487765d56e840c8aac
SHA1 hash:	439eb4d721bd814b04598890736685506a5bfcf1
MD5 hash:	30073d7cc81768ddd8e3bb1b08b9f144
humanhash:	winner-colorado-september-king
File name:	30073d7cc81768ddd8e3bb1b08b9f144.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	438'272 bytes
First seen:	2021-02-18 07:07:04 UTC
Last seen:	2021-02-18 08:39:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	50a6f77996662fd547197e7f0e5aefb0 (1 x RedLineStealer)
ssdeep	12288:kVJiCpw1xJwPEjSA6JRT14xPpgzKak5E:vMw1xWtjB4
Threatray	170 similar samples on MalwareBazaar
TLSH	0E949E00B7A0C035FAF616F449BA93AD653DBEE19F1451CB52E53AEE96346E0AC31307
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/117671/

Detection(s):

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/611122

Signature

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5/

Threat name:

Win32.Trojan.Graftor

Status:

Malicious

First seen:

2021-02-18 03:43:23 UTC

AV detection:

12 of 28 (42.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xmbbbj7t6sgeyda3m2a5l24hc3bjoa34doal6jmb5jvmqy3zhcq._file

Verdict:

malicious

RedLineStealer

4bb82f05f31bbc7df2350efac1d0e9e46e5b78f11b50fa6b8313066454aec918

RedLineStealer

53694d09899c9de1600743b37ab45e9dc4e3eaf329dc410e87a3b7318d943012

RedLineStealer

c434d4da9f9111e836666c93d246f062baa801b1fd098ab670c537353483bad0

RedLineStealer

c7548d44039ef4712cd3161d51f4d235f7b04fac22234cfcc602a895e87d23f7

RedLineStealer

d5a592a952140b52fde783c6281f82986a3aee2f05de63fe7b6ff2d76db11670

RedLineStealer

d8271e3a38ba916aa701c5b4cb01eb75abface3d401e604248434d7f79ffaad0

RedLineStealer

eb7daf5779270983a6593b9d58fdad20fd18100b1301ce0a03cc5d1b98bd333b

RedLineStealer

f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48

RedLineStealer

fa123f422564ed8b12034d2fdecbafb53d8df264aa6d0fbfadaddd89c9e5ac5d

RedLineStealer

+ 160 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware

Link:

https://tria.ge/reports/210218-mlxb6ep1bn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

57aba0321927dbe7d14ac3c31e8f2c0911430eb1e733a0b060a4d62e0a6661a5

MD5 hash:

c83e6b7e8aa091912e6d39d1e8e30323

SHA1 hash:

f92516cb701e2306aa576a4e00e6ac55b5e0d6a9

Link:

https://www.unpac.me/results/a014e465-b6d4-4a14-b7e9-76ba11f61155/

SH256 hash:

66409555a5afb5df21cd557dc7189a92b5f8107831f8a9cfaaf660c39770a644

MD5 hash:

04b269fb3a66a602824e5382a36c78f3

SHA1 hash:

c211e162db3a01ffaeb0bec67abf080a0e616156

Link:

https://www.unpac.me/results/a014e465-b6d4-4a14-b7e9-76ba11f61155/

SH256 hash:

a222a5dfdd449040d48064c6816f79f6120d67d8c3c237377bcc5abeec6fe2c7

MD5 hash:

d6c3207212b2491b4800fbfc4eff95e8

SHA1 hash:

67805af77f3573705a144f6db3944da3f457332b

Link:

https://www.unpac.me/results/a014e465-b6d4-4a14-b7e9-76ba11f61155/

SH256 hash:

ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5

MD5 hash:

30073d7cc81768ddd8e3bb1b08b9f144

SHA1 hash:

439eb4d721bd814b04598890736685506a5bfcf1

Link:

https://www.unpac.me/results/a014e465-b6d4-4a14-b7e9-76ba11f61155/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.