MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02a3045615925cfd09f7b121b520b14bb10784d21b0b77e0895140306c54c3fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02a3045615925cfd09f7b121b520b14bb10784d21b0b77e0895140306c54c3fb
SHA3-384 hash: 59193cc4dbc38b19377af7df87f927d959a6f35d98ecf0c599f8aa0ee84308560ae5d15ff579dc14cf3ef26f295f809a
SHA1 hash: b9cf599da5488b47b1abb97b15963d2ef72bf6dd
MD5 hash: 80b9d4b0b3fce803d043f655517c71b9
humanhash: stream-alabama-island-oscar
File name:80b9d4b0b3fce803d043f655517c71b9
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:312'320 bytes
First seen:2023-02-03 23:03:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 11deee92ae37204b8493d8d64f5f1f69 (8 x RedLineStealer, 5 x Amadey, 2 x Smoke Loader)
ssdeep 6144:GvFLNd39X555427c5kt8/KamYRG7AMW0Tkpr6cOPxHhAX:GvFj3Q2MaamYRG7A0kprqHOX
Threatray 14'073 similar samples on MalwareBazaar
TLSH T1AD64F1363280C0B2E46711304865DBA5EB7FB8306579961777991BBE4F336C0AB3A35B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 816a6e6e6a6a6a70 (1 x Smoke Loader, 1 x Amadey, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
80b9d4b0b3fce803d043f655517c71b9
Verdict:
Malicious activity
Analysis date:
2023-02-03 23:07:22 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/1f9bcd64-8c14-426a-a67b-365f132220c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360114/
Detection(s):
SecuriteInfo.com.MSIL-47.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63dd92e5fcc41339192f19c9/reports/c3598932-95a1-4c3f-ae73-89f67bd4d226/overview
Verdict:
Malicious
Labled as:
Ransom.51A80467
Link:
https://www.hybrid-analysis.com/sample/02a3045615925cfd09f7b121b520b14bb10784d21b0b77e0895140306c54c3fb
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9176777e-f6e3-40be-824c-d0786313768c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1165576
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02a3045615925cfd09f7b121b520b14bb10784d21b0b77e0895140306c54c3fb/
Threat name:
Win32.Trojan.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2023-02-03 23:04:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akrqivqvsjop2cpxweq3kifrjoyqpbgsdmfxpyejkfada3cuyp5q._file
Verdict:
malicious
Similar samples:
0fbaa3eb6ea93afc5b818a70ac69f4a06997ea4a5b00ab8f3ac286773962ced8
RedLineStealer
11fbcba70e0d9ee48f7223046c93e50736f3ad418596495ceee97235e3ec3e9b
RedLineStealer
134ab8a05fd71a6762287cef0ee99a8ca08c076ffcc23ad44c32fe4f537f6c7d
RedLineStealer
2cb82f52c961d092242e4db39563663c1c375a0b1e5f9ef012081173f6d6a4cd
RedLineStealer
3cad5fc80ef5be3ce164cf7499ab336f124715d60ce99e7bd9c53718e6ca326d
RedLineStealer
441ff4beae0a388f028ae3ac1b191f9bd3717f9a2577164028e71c8dc5d16677
RedLineStealer
460dd00c9d92a72214592d5a06c3968b7cad9f06276302ebc5bd1a7d8c67cf92
RedLineStealer
7e9f64cbb0cd22706f8e8dc5366f191be44ec6bff5803424c758096a6216cb73
RedLineStealer
a35fe253c0f82283f94c43d4aee2e0c41336edf8e3ca9530efd4f16a31f60cb5
RedLineStealer
dda0f4221046a25ed0417f5c907596e2b95c36a5c6b1fe2809bcbe1c29a093c3
RedLineStealer
+ 14'063 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230203-219avaeh5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
5447398f848c8f4cc9a98b5f70318a0dea2ceccae863ca1ce7a91ca18f77e14e
MD5 hash:
45a7fbfebf6bdc8a86f21b9dd864eec3
SHA1 hash:
f1e6e3f15fd80ae99d027aa559170a6e5fd0ce53
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6631ebeb-79ae-4ff6-8eb5-3618fe6f2ac6/
SH256 hash:
6e0dfd71fca03404056602562210eeee70971e92bd49ccaa925c964d155b7122
MD5 hash:
885a6514a429a8d2c8d6599bf36fe02d
SHA1 hash:
80df5dc73fe17c291ec23e81bd5170648473339f
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6631ebeb-79ae-4ff6-8eb5-3618fe6f2ac6/
SH256 hash:
82761137df9ecf85888f5dc65447d1bb94e8fb0a791e663d6bc81d742a93496c
MD5 hash:
70b37744cc2a4979960636679621dff5
SHA1 hash:
2ce8191ab742f6e09079bf9e116284a70a200eda
Link:
https://www.unpac.me/results/6631ebeb-79ae-4ff6-8eb5-3618fe6f2ac6/
SH256 hash:
02a3045615925cfd09f7b121b520b14bb10784d21b0b77e0895140306c54c3fb
MD5 hash:
80b9d4b0b3fce803d043f655517c71b9
SHA1 hash:
b9cf599da5488b47b1abb97b15963d2ef72bf6dd
Link:
https://www.unpac.me/results/6631ebeb-79ae-4ff6-8eb5-3618fe6f2ac6/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02a304561592/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02a3045615925cfd09f7b121b520b14bb10784d21b0b77e0895140306c54c3fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 02a3045615925cfd09f7b121b520b14bb10784d21b0b77e0895140306c54c3fb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2529464/
Cape
Cape
https://www.capesandbox.com/analysis/360114/

Comments


Avatar
zbet commented on 2023-02-03 23:03:59 UTC

url : hxxps://www.brancatosnc.it/test.exe