MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28fd5ed9fb22c273cecc6c79f009d8ecf2358dfc472cde89f8d169b3e1c55a93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 3


Intelligence 3 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28fd5ed9fb22c273cecc6c79f009d8ecf2358dfc472cde89f8d169b3e1c55a93
SHA3-384 hash: 327415e9b4a1e5407570e9f1a15d1940d9712b148ed5d01a11ad9228a4d9ba379282856c742318286d37273e227de6b4
SHA1 hash: 917e289b6835c9a3c6b84ac8c8e1c9153fbe8a60
MD5 hash: 176d52b863f3d7cedacf23588a57b7cf
humanhash: edward-ten-mike-california
File name:pureland.7z
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:439'666 bytes
First seen:2023-03-03 08:59:40 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
Note:This file is a password protected archive. The password is: pureland
ssdeep 12288:PdmZlsnND3GBN5OvYjeVWnOlunarqpPaNA:PWWNDWsYjeVJun0qxyA
TLSH T1139423612A7269D502BF54F1A148C98D2A48BFF2CF3D5C913FF7EB89D60842D18BC526
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter iamdeadlyz
Tags:167-235-233-35 7z exe file-pumped PureLand pw pureland RedLineStealer


Avatar
Iamdeadlyz
From thepureland.io (impersonation of Rune Teller - https://store.steampowered.com/app/1944360/Rune_Teller/)
Related incident: https://www.coindesk.com/business/2023/03/02/blockchain-game-the-sandbox-warns-of-phishing-email-after-security-breach/
RedLineStealer C&C: 167.235.233.35:16621

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:pureland.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:734'667'728 bytes
SHA256 hash: 7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23
MD5 hash: 68640753e6d7039bc457b03a5b57fd39
De-pumped file size:655'872 bytes (Vs. original size of 734'667'728 bytes)
De-pumped SHA256 hash: f4ae47d0f97a500401a1e5a068dbab57dfbd9cdf0ffebae6e730e5cc3226fc2e
De-pumped MD5 hash: f98df82f0afc60f34816d35c9dd75245
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/28fd5ed9fb22c273cecc6c79f009d8ecf2358dfc472cde89f8d169b3e1c55a93
Result
Verdict:
UNKNOWN
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28fd5ed9fb22c273cecc6c79f009d8ecf2358dfc472cde89f8d169b3e1c55a93/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fd6v5wp3elbhhtwmnr47acoy5tzdldp4i4wn5cpy2fu3hyoflkjq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:5hr infostealer
Link:
https://tria.ge/reports/230303-l6smaaha49/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
167.235.233.35:16621
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

7z 28fd5ed9fb22c273cecc6c79f009d8ecf2358dfc472cde89f8d169b3e1c55a93

(this sample)

7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23

  
Dropping
SHA256 7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23
  
Dropping
SHA256 f4ae47d0f97a500401a1e5a068dbab57dfbd9cdf0ffebae6e730e5cc3226fc2e
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2556464/
  
X
https://twitter.com/Iamdeadlyz/status/1633253641556746240
  
Dropping
MD5 f98df82f0afc60f34816d35c9dd75245

Comments