MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25c3bafe1a3b624a4ace62710560bcd09df4f39b0e1d5a85aa0a1f715b20d28f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 6 File information Comments

SHA256 hash:	25c3bafe1a3b624a4ace62710560bcd09df4f39b0e1d5a85aa0a1f715b20d28f
SHA3-384 hash:	a010516da8ebe1a194a59cb34df3c42a6c4d229dc2da2f5474bd8e3742715b14fb5a40a5381c2d3966f158df8c3840bd
SHA1 hash:	bfda02daec5e6b4fb2f2074984e3b2f99b728c1d
MD5 hash:	645b4f42ec765c9b8e5cdd5a39c316a3
humanhash:	papa-north-sodium-uranus
File name:	645B4F42EC765C9B8E5CDD5A39C316A3.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	775'680 bytes
First seen:	2021-03-24 14:47:11 UTC
Last seen:	2021-03-24 16:54:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:5olPlqSAvIwukxly7sckqYw37Gp2qfuKssssq:wPAS+IClyxpYWrqfuKssss
Threatray	155 similar samples on MalwareBazaar
TLSH	6FF4326A993F5804D5B05DFE6A12A7801EDD1D13672DFA324262BDF3A5FCB821F42483
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://144.76.184.5:40355/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://144.76.184.5:40355/	https://threatfox.abuse.ch/ioc/5065/

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

645B4F42EC765C9B8E5CDD5A39C316A3.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-24 14:48:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/23c0f855-b277-4a7d-bc89-ad0fbe353474

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.63131.22375.13437.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% directory

Deleting a recently created file

Stealing user critical data

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/652389

Signature

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/25c3bafe1a3b624a4ace62710560bcd09df4f39b0e1d5a85aa0a1f715b20d28f/

Threat name:

ByteCode-MSIL.Infostealer.Coins

Status:

Malicious

First seen:

2021-03-18 18:36:23 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=exb3v7q2hnreuswomjyqkyf42co7j443byovvbnkbipxcwza2khq._file

Verdict:

malicious

RedLineStealer

1df627a462077149e7a934ea1b758c8fccf34933f340fab14ca8976b4a6a5c20

RedLineStealer

252c620181e163a91bee650ce34198009aa4d720ed304bd3a65a897a3df43201

RedLineStealer

264d1c1cbd93537901134c34c3cbae929ee2708ec8d80f666730d303f7f1f4f9

RedLineStealer

28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd

RedLineStealer

345e35eec8b99ff364f83128829f675834d8510e17d468bf3efdac52b11e4705

RedLineStealer

814ce31333d1e54c883fc8272d8d0f97fb5e7e594cb68bd206ed5aef384ed56d

RedLineStealer

9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea

RedLineStealer

d57a75cd0b16d4f2176a3086b24d8a2cfa9f55f3dea1f26f3906dd8295e4918d

RedLineStealer

e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37

RedLineStealer

+ 145 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210324-awpsrpwa9e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

Unpacked files

SH256 hash:

542a5ceee8f268a4bddf1bec0dc56a2a50cc30bb87dba00cfedc29d200601caa

MD5 hash:

75e320b7eb7628cc4580ff25709ea248

SHA1 hash:

a4d00f2ffbd2ecfde244fa9812cbccf1e2cb30c8

Link:

https://www.unpac.me/results/3128dbfe-c79f-407c-b403-f8495a4d0486/

SH256 hash:

6fdd6a9607965f9516e8b001e356222abe38653ef6047d50d178c62706da679a

MD5 hash:

3ebddc1ea8ef8d5ed161ddc8abb68685

SHA1 hash:

6202bd5a84b4eb39f2351a195673b979ee47376d

Link:

https://www.unpac.me/results/3128dbfe-c79f-407c-b403-f8495a4d0486/

SH256 hash:

25c3bafe1a3b624a4ace62710560bcd09df4f39b0e1d5a85aa0a1f715b20d28f

MD5 hash:

645b4f42ec765c9b8e5cdd5a39c316a3

SHA1 hash:

bfda02daec5e6b4fb2f2074984e3b2f99b728c1d

Link:

https://www.unpac.me/results/3128dbfe-c79f-407c-b403-f8495a4d0486/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/25c3bafe1a3b624a4ace62710560bcd09df4f39b0e1d5a85aa0a1f715b20d28f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample