MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
SHA3-384 hash: d82df4d3e96e724c3c130a3b1e1cfad96e0c6f07b648dead081631641cbb94feb825f703edcc8d1d3d24e404bab928f0
SHA1 hash: b37a62cc2e299e204f64a741a532685bfd42289f
MD5 hash: f766e02da046dcd0b34eed69e2c68182
humanhash: montana-stairway-butter-red
File name:f766e02da046dcd0b34eed69e2c68182
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:320'512 bytes
First seen:2023-03-03 17:02:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 76cdbf777494f5c49310ced09b70cdce (8 x RedLineStealer, 3 x Amadey, 3 x Smoke Loader)
ssdeep 6144:Q+kiHuUvh9Qfpe08PcowUm6GQhT+hF96JRTTfmCtdS8tpqj:Q+kiHxzQfpN8sUmVQohF4JxNdSm0j
Threatray 17 similar samples on MalwareBazaar
TLSH T10F64E03072D1D831C0B21A31CE7586F1963BBCA3AD79549B73943B2E5EB02C1896D7A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 948cccf2b696dc18 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
f766e02da046dcd0b34eed69e2c68182
Verdict:
Malicious activity
Analysis date:
2023-03-03 17:05:52 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/9a617e4f-f12f-4911-be31-16ecd47beed4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371494/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.15545.15443.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed ursnif
Link:
https://www.filescan.io/uploads/64022848bfec0852a68ecf29/reports/3089c0fd-3bbb-42bb-afe5-ee4385e0869c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82902527-70a8-4aa2-8ee2-7fca4d574994
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1186741
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-03 17:09:25 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpb36pkxrl3pgz7sxipcnbggq2vsgop3zkr63u4oqn4ju2jn6hra._file
Verdict:
malicious
Similar samples:
1763ca201c7137c9b105cec473fc8099384a951925f8c2abbce55fd976fbd26f
RedLineStealer
3868a70f2245c490aeadccd7a198f86a8b706c9bc7e0bca061b2cffd0e49c06f
RedLineStealer
4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e
RedLineStealer
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
RedLineStealer
66a4e11b4b456161e5561e8ffb153daa896db70e6575cf167acf2338dbdf3861
RedLineStealer
6f1b5358eb811f0fcca3b0ae1ca98e00601a813e39dd5314745c8fd9294a709d
RedLineStealer
94f72fbf8f77ae4664efcdbb22019e9dc0b0d37e5ee3a6d70d2cde10fa5f89ca
RedLineStealer
9aa78e8428c7b1d10b7385beade2a05a7d42847d596174f8785ef5108273450a
RedLineStealer
9ca7e51801c4e6739317ad90b9720d375fe076362dca54546d6bebb3e187f3d4
RedLineStealer
e6b0accb87874557ba38790c25509486bc49e818c9104b7117351996dfeae7e5
RedLineStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230303-vkn7eaaa81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
de61cf25202e6b74967ad446111c516c50695c36172452da3bef94d68d3fdd7a
MD5 hash:
558eace0ceabd8b25d590be8966a58e7
SHA1 hash:
ca4df41956f1ca42db197dcf1c0d469ba3e16a8d
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/cadf4d6d-268f-429c-b260-232ac6cbc611/
Parent samples :
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
319f678b8bf7350d8a85d7a6185909f75ded81a976062ca8ef823177e90a649b
11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0
SH256 hash:
db2c4acdeb934ae96e51b46b88f24dad4e43f69a90de44b8554e30b909ef29ca
MD5 hash:
9dc3abbfdcd1bb7cafb14a35b60d6713
SHA1 hash:
6aacaf8c94121006562f4a013283741340e99693
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/cadf4d6d-268f-429c-b260-232ac6cbc611/
Parent samples :
b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
319f678b8bf7350d8a85d7a6185909f75ded81a976062ca8ef823177e90a649b
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666
SH256 hash:
f4262b5eb59db26a6eb9534d7d8e57955ef5ef3079a439570cb32c9754baf696
MD5 hash:
bcc57bbabee21070c3b1c1c0d6549c1d
SHA1 hash:
374f18b741a610c8d532d793c52e2aae22fc7856
Link:
https://www.unpac.me/results/cadf4d6d-268f-429c-b260-232ac6cbc611/
SH256 hash:
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
MD5 hash:
f766e02da046dcd0b34eed69e2c68182
SHA1 hash:
b37a62cc2e299e204f64a741a532685bfd42289f
Link:
https://www.unpac.me/results/cadf4d6d-268f-429c-b260-232ac6cbc611/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0bc3bf3d578a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2556788/
Cape
Cape
https://www.capesandbox.com/analysis/371494/

Comments


Avatar
zbet commented on 2023-03-03 17:02:24 UTC

url : hxxp://91.215.85.15/doz.exe