MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0345355aeddf2ebfb4268ffbc6930eb25bd0a6ac7c29ec9392a3fa13cc9179c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0345355aeddf2ebfb4268ffbc6930eb25bd0a6ac7c29ec9392a3fa13cc9179c5
SHA3-384 hash: 6caa10b1c54f796428092346f91631a4cf0a6bcd057773ab86836440140ece383b5a4872bc2254ca87fd248f6f9b868e
SHA1 hash: 6c7ef003982e13e6f1bad3b076365e61682234e0
MD5 hash: 65519eb42ba92607e00f72409bb81f1a
humanhash: mike-avocado-papa-echo
File name:65519eb42ba92607e00f72409bb81f1a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:315'392 bytes
First seen:2021-09-02 21:55:21 UTC
Last seen:2021-09-03 00:25:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e1eb14d2b9b63299ef24644e625b9baf (3 x RaccoonStealer, 3 x Stop, 1 x RedLineStealer)
ssdeep 6144:Wxj5LFpBghwdXnDZmtyDbKZVkUrI/XUaeTzktRd2gN8y4Ko:irBghwdzZmtyyZOgIx38c
Threatray 5'484 similar samples on MalwareBazaar
TLSH T10C64AD20B6A1C035F1B352F459BA93F8B93A7D706B3094CBA3D516EA16346E4ED30787
dhash icon 60e8e8e8aa66a499 (24 x RaccoonStealer, 14 x RedLineStealer, 7 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
65519eb42ba92607e00f72409bb81f1a
Verdict:
Malicious activity
Analysis date:
2021-09-02 21:57:50 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/7f576b60-4ddf-4da2-8f0a-164d9cfed2bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184966/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.14930.13621.19932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8aa44355-b04c-44ad-afd8-8db131d49f9a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/844410
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0345355aeddf2ebfb4268ffbc6930eb25bd0a6ac7c29ec9392a3fa13cc9179c5/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 21:56:11 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anctkwxn34xl7nbgr754neyowjn5bjvmpqu6ze4sup5bhterphcq._file
Verdict:
malicious
Similar samples:
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
RedLineStealer
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
RedLineStealer
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
RedLineStealer
7578b1f217fca3612bbabadca671494f35cbada8d58fc11c68092477c99ec084
RedLineStealer
9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467
RedLineStealer
b16312efaa5c99706690f35e9ca41748c7ac793ff06e9d4f5ece91c960d25ff5
RedLineStealer
b553f55f881cc835996635ac0daeab9a843fcbd703272d21ce553ed3579b0085
RedLineStealer
c9952fbf329b8a9b3400196c5bfefb8c48bdb7a8a3c8ff4176dc804aed898f1c
RedLineStealer
caa2bbb52eac417eb14ba6480c4b00663a6c7b477965cb2b3c0769dd6906d71f
RedLineStealer
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
RedLineStealer
+ 5'474 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210902-1tb64aeghk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:8678
Unpacked files
SH256 hash:
9535c968deac76b07b81338316691050af68de604c5ac9b8ce88fb13af79aa22
MD5 hash:
b726df75f1ef2ca4e8e4c201cc323464
SHA1 hash:
afbc5f2384bad1cf44d88b3e6a0e2e08683ddfcf
Link:
https://www.unpac.me/results/1e00284a-926c-4282-b792-6f8ab39c7170/
SH256 hash:
49024e791cf17a4255a3b5a33bfede6ed8f9ab28c34d7b10ce7c3676498fa969
MD5 hash:
0d79cf0987744082d998343280d9b2d5
SHA1 hash:
6810c7f1f15bdd644e0c0ffd0e341c71dc2deeeb
Link:
https://www.unpac.me/results/1e00284a-926c-4282-b792-6f8ab39c7170/
SH256 hash:
71834babc65f6ca37d984e3cd28656ccfdfc7947d65c92080c84df0dd261b3d0
MD5 hash:
930113d93ac139570d8cf41e39400215
SHA1 hash:
0152da485ccfb299b2f17bd3af7e5c733b1f294d
Link:
https://www.unpac.me/results/1e00284a-926c-4282-b792-6f8ab39c7170/
SH256 hash:
0345355aeddf2ebfb4268ffbc6930eb25bd0a6ac7c29ec9392a3fa13cc9179c5
MD5 hash:
65519eb42ba92607e00f72409bb81f1a
SHA1 hash:
6c7ef003982e13e6f1bad3b076365e61682234e0
Link:
https://www.unpac.me/results/1e00284a-926c-4282-b792-6f8ab39c7170/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0345355aeddf2ebfb4268ffbc6930eb25bd0a6ac7c29ec9392a3fa13cc9179c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0345355aeddf2ebfb4268ffbc6930eb25bd0a6ac7c29ec9392a3fa13cc9179c5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1587234/
Cape
Cape
https://www.capesandbox.com/analysis/184966/

Comments


Avatar
zbet commented on 2021-09-02 21:55:22 UTC

url : hxxp://185.255.120.26/forum/pics/sefile.exe