MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd38d6e7ee598b9ead8640b414b0251e85b8cdd7c59ee456ea5ef973b476b3ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	fd38d6e7ee598b9ead8640b414b0251e85b8cdd7c59ee456ea5ef973b476b3ec
SHA3-384 hash:	f8b7dee1cb4294cd1526b5eb4bdf2071eee86c431742cbaad2dbe2faab4b8adb2d0233fc38142dbd8c3b38775eb15d0c
SHA1 hash:	eab431238b9737f404005a8d24d6b096ae2ebe96
MD5 hash:	51c25bee51585d854a99738df9b583aa
humanhash:	green-equal-solar-oklahoma
File name:	51c25bee51585d854a99738df9b583aa.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	346'624 bytes
First seen:	2021-03-19 07:32:48 UTC
Last seen:	2021-03-19 09:35:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5d17de16c76266fd8d910bc0fc0e437c (3 x ArkeiStealer, 1 x DanaBot, 1 x RedLineStealer)
ssdeep	6144:C5aJrdPOTiIFHBKziR5Gpmvm/UQVabDa7c2FiGHb5EOgItftlfmo+8:C5aJrdPOTiIFHBKzcGpWb275FH75lgIm
Threatray	1'265 similar samples on MalwareBazaar
TLSH	9074BF0CA7E0C034F1B726B0497A9ABCA93A7EB05F2890CF62D517FA56746E09C31757
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

51c25bee51585d854a99738df9b583aa.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-19 07:35:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/59746bb3-f091-448e-b9ca-2f651134c6e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/125587/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.63083.22326.9013.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26b792a8-d037-47f7-ac50-8a7520d60275

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/645774

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/fd38d6e7ee598b9ead8640b414b0251e85b8cdd7c59ee456ea5ef973b476b3ec/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-03-18 02:19:05 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7u4nnz7olgfz5lmgic2bjmbfd2c3rtoxywpoivxkl34xhndwwpwa._file

Verdict:

malicious

RedLineStealer

4239335443cbf3d45db485d33c13346c67d5ac717a57856315a166c190dde075

RedLineStealer

475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2

RedLineStealer

4f42a3f5ab0feccba70fb3637052bb95359d2152f1b73d787b25ba0f75cec13a

RedLineStealer

6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787

RedLineStealer

7e33816fa1c7b7608cdbc984c0f60e752d67f91e0d184e25f28357e9e0a8fb78

RedLineStealer

aca06c84c79542c68aee34141e53d43e865d9d0cce2fab122270cf7c230dca77

RedLineStealer

bd824ea4c4eda6ab14aa271fa88dae5e1102d4cbaae86d46e47b80be0247d11a

RedLineStealer

e8519ee31b530c94681185e62245cc32c279a5a340cc423aca9e1793b807b038

RedLineStealer

f864c3ba8d40d3f461f21579a9e100f20ee15bea94a6d682b4154ebe22d6f0e4

RedLineStealer

+ 1'255 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210319-n2v6w55pej/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

3822de859c49b10e343977a0ce400a4fa126bf211b5c787ba31b3281309eb685

MD5 hash:

49bcaf05b270ddfa00b93aa51d8f4402

SHA1 hash:

bdaf6115d211c2bbf4d3bd66eeae56645a9e2e16

Link:

https://www.unpac.me/results/89484333-d97b-4fac-a55b-6092ecc8063b/

SH256 hash:

e6bd37f8ca12f3460fddb8acf52a2c24239532b8613b81cfcc9794b17be1f79b

MD5 hash:

910de422df28921b26cc2c421a6760cc

SHA1 hash:

8272a39c9690c84b030c5c3bbe6dadec8fe41edc

Link:

https://www.unpac.me/results/89484333-d97b-4fac-a55b-6092ecc8063b/

SH256 hash:

c26b103ce6fb7c3fa33010f1b920fa7cf72a37354a14542c1afbf62755661a29

MD5 hash:

fef84ffb0ea175bcbf1e38d447ce63ba

SHA1 hash:

072323f5424f6e2a419b180166f6130b85a4fbb5

Link:

https://www.unpac.me/results/89484333-d97b-4fac-a55b-6092ecc8063b/

SH256 hash:

fd38d6e7ee598b9ead8640b414b0251e85b8cdd7c59ee456ea5ef973b476b3ec

MD5 hash:

51c25bee51585d854a99738df9b583aa

SHA1 hash:

eab431238b9737f404005a8d24d6b096ae2ebe96

Link:

https://www.unpac.me/results/89484333-d97b-4fac-a55b-6092ecc8063b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fd38d6e7ee598b9ead8640b414b0251e85b8cdd7c59ee456ea5ef973b476b3ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.