MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04e3d6d15bca42b83260d9eaa3fef9363566e3358bb8a3944510c9aba67320be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	04e3d6d15bca42b83260d9eaa3fef9363566e3358bb8a3944510c9aba67320be
SHA3-384 hash:	518a8919241df5b37bc12cd29b160f0596035271a3b35a7cefca72eeadced376d0330e0a9a9cc4e9009b42e6dbf6c0a4
SHA1 hash:	0719eacb9382c830208b99776c96082d1dfc6af7
MD5 hash:	deca67f083ae99a6bb5e9f8e8f31550c
humanhash:	minnesota-whiskey-maine-london
File name:	04e3d6d15bca42b83260d9eaa3fef9363566e3358bb8a.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'685'504 bytes
First seen:	2022-01-14 13:43:00 UTC
Last seen:	2022-01-14 16:00:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep	12288:x0jZxzTGn24nCgKrborzKb7HQt0XT6QVbacjAEoFLXlDh1vzx2ypFlbDCSj:xmKYg2crzKbzQtMGoAEcLXz1vl2aFD
Threatray	2 similar samples on MalwareBazaar
TLSH	T117753953B88130F5D0AED2318BB55232BB7178A9073153DF2BA293BA1F62BD41E79351
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
81.91.178.186:19410

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
81.91.178.186:19410	https://threatfox.abuse.ch/ioc/295240/

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://crackedrar.com/

Verdict:

Malicious activity

Analysis date:

2022-01-14 11:02:14 UTC

Tags:

evasion trojan loader rat redline stealer vidar raccoon

Link:

https://app.any.run/tasks/bc179e84-8d38-40a2-823c-d0adbd1a69fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/219330/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.38514707.25596.19057.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

DNS request

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4193/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61e17dece997359713ec8767/reports/9fc649fa-10d9-47d8-8517-7c1e93e562f1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6a0035ab-f17f-4071-a436-420d7c594ff9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/920768

Signature

Antivirus detection for dropped file

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/04e3d6d15bca42b83260d9eaa3fef9363566e3358bb8a3944510c9aba67320be/

Threat name:

Win64.Spyware.Generic

Status:

Suspicious

First seen:

2022-01-14 04:12:17 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 43 (27.91%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=atr5nuk3zjblqmta3hvkh7xzgy2wnyzvro4khfcfcde2xjttec7a._file

Verdict:

malicious

RedLineStealer

83d0e70a23c542850312be419a86d0a77390d766ce8b5dd21ab0620c1aec75d3

RedLineStealer

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220114-qz9pfagea6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Executes dropped EXE

Unpacked files

SH256 hash:

04e3d6d15bca42b83260d9eaa3fef9363566e3358bb8a3944510c9aba67320be

MD5 hash:

deca67f083ae99a6bb5e9f8e8f31550c

SHA1 hash:

0719eacb9382c830208b99776c96082d1dfc6af7

Link:

https://www.unpac.me/results/b8e5d747-8cb8-4dd9-ae6f-a4548ddf8c53/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/04e3d6d15bca42b83260d9eaa3fef9363566e3358bb8a3944510c9aba67320be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	methodology_golang_build_strings Create hunting rule
Author:	smiller
Description:	Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/219330/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample