MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e350e3c70db30c91aadc46298cd2563c05dc20e2113416a3e7b9b60ef22ae6d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	e350e3c70db30c91aadc46298cd2563c05dc20e2113416a3e7b9b60ef22ae6d5
SHA3-384 hash:	db8d440c4a8185d43cd825ea7c2b6f87ed37ae0de3e169db6cf473620f51ab35aec0e5487ca7c3aa65463ade1dd70e21
SHA1 hash:	a88ae82fa8eff70cc5b53c20b97c35ebe28a2761
MD5 hash:	4202415ab9a4a5895be70426bca072de
humanhash:	purple-crazy-minnesota-august
File name:	4202415ab9a4a5895be70426bca072de.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	390'144 bytes
First seen:	2021-06-03 10:00:26 UTC
Last seen:	2021-06-03 10:58:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	788842c19811b0f2f6994735b8f363a4 (3 x RedLineStealer, 3 x Stop, 1 x ArkeiStealer)
ssdeep	6144:uyzOImoWq1j+BKDwDPSEGZIzZH+26VCic3NoXXoaw/j+cO:uyzfmt2j+BBDPqZIzZHeVzc9BfG
Threatray	803 similar samples on MalwareBazaar
TLSH	A284AE10B7A0C034F5F312F49AB682F9A63DBDA16B2450CB62D52BEA17746E1EC31317
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4202415ab9a4a5895be70426bca072de.exe

Verdict:

No threats detected

Analysis date:

2021-06-03 10:11:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/39356075-1fd5-4546-af7f-5bff2e59063b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/164355/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/796580

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e350e3c70db30c91aadc46298cd2563c05dc20e2113416a3e7b9b60ef22ae6d5/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-06-02 20:37:33 UTC

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4niohrynwmgjdkw4iyuyzuswhqc5yihcce2bni7hxg3a54rk43kq._file

Verdict:

malicious

RedLineStealer

43a38e0f15c22a94dec67acce84a2cbed685b8c58014ee4a432dad8f9e550a7f

RedLineStealer

7d7d95f5656db399e646ebc63be222f85a6489e81b0a9773391185ef1faf537d

RedLineStealer

8e96166564978a1f84bfa3f352c7f49cbe2920a53375527143b53ac1455c9c82

RedLineStealer

cafacec99af0e63fe0fdd8b519d4947fe9b9e12587bb18b10151f3fd8ce20f63

RedLineStealer

d460839a01093007c634bbca24ac143244b9f6d2b4943ea9aa292600884836ce

RedLineStealer

d8ed5b288ac2b5f908d544a8837d20a5c30464e1f0d980c9c2b974533c9d1e35

RedLineStealer

f036cd620b335151bb675c3478c9f945562e7eb46b0f8ac816da9999e8faffae

RedLineStealer

f29a98849772d487f462daadc5072112353b52fa17ffeac2d2e8d669fcffe573

RedLineStealer

f7ea23624ff9f805903ce10cd0bbeab9795b6610f28edc15b5d235ed339101d5

RedLineStealer

+ 793 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210603-bh3p9g1v7n/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

49.12.42.196:12598

Unpacked files

SH256 hash:

a526722c6099065dbaf2f4d07af7e6af1659ad914fab655a30ed5ff32b34d422

MD5 hash:

96659e1fa9ad47a840e475a3c1de6104

SHA1 hash:

e6f99b504d933dc11254e8b64b530110ba3b0f47

Link:

https://www.unpac.me/results/b30cb9b8-74e7-42d4-b2d5-03a141f249ee/

SH256 hash:

b128d33e55cc7119ef8827d59d707b277d2cd9592df49f8c972bc56d47e2fa70

MD5 hash:

9ec8b96a1a068a1ec4c3463dabbd108e

SHA1 hash:

ad39cfabdb522c52838e5d142d4f0c74655fe981

Link:

https://www.unpac.me/results/b30cb9b8-74e7-42d4-b2d5-03a141f249ee/

SH256 hash:

c18694f035b34ecbbadaf767076a70cff45bb39caf794a827a6e5d652c320e52

MD5 hash:

d237daf497c4bbc01c1e14514b4a908d

SHA1 hash:

50429b1b0e8e7180f1dcde2bff6821897ace3825

Link:

https://www.unpac.me/results/b30cb9b8-74e7-42d4-b2d5-03a141f249ee/

SH256 hash:

e350e3c70db30c91aadc46298cd2563c05dc20e2113416a3e7b9b60ef22ae6d5

MD5 hash:

4202415ab9a4a5895be70426bca072de

SHA1 hash:

a88ae82fa8eff70cc5b53c20b97c35ebe28a2761

Link:

https://www.unpac.me/results/b30cb9b8-74e7-42d4-b2d5-03a141f249ee/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e350e3c70db30c91aadc46298cd2563c05dc20e2113416a3e7b9b60ef22ae6d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.