MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a3650fe227cd9e83c05b6e009ce3e4a1504244ed5871cc3fe6a2183e085386a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a3650fe227cd9e83c05b6e009ce3e4a1504244ed5871cc3fe6a2183e085386a
SHA3-384 hash: f982041f6e1b860e95ddead2e633f84e79c1a816fd49a75ba55b2e2a859587dd51e4b7d6cbe2874e6b98406f7422c55e
SHA1 hash: 23da3e203279e4c559febc41b302619be4e40c48
MD5 hash: 37ea12a8b28a3ee9f005e35d3b1adf57
humanhash: texas-tennis-winner-alabama
File name:37EA12A8B28A3EE9F005E35D3B1ADF57.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'049'671 bytes
First seen:2021-06-21 20:31:36 UTC
Last seen:2021-06-21 21:43:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 650ed02ca4b6baad6b24f20402b6268b (7 x RedLineStealer, 1 x CryptBot, 1 x RemcosRAT)
ssdeep 24576:r5REvpedfR/V2v5007snDhjPdOjUA+bYHtBdkV08grM7lKL:rARed5cR00ANJ1mx60u7i
Threatray 279 similar samples on MalwareBazaar
TLSH 642501CD37A1B7B9D15E78F04B75A7A305225EAD0F93C9832788FB06FF2C1848269255
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.170.213.107:42592

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.170.213.107:42592 https://threatfox.abuse.ch/ioc/139039/

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
37EA12A8B28A3EE9F005E35D3B1ADF57.exe
Verdict:
Malicious activity
Analysis date:
2021-06-21 20:32:23 UTC
Tags:
autoit trojan rat redline
Link:
https://app.any.run/tasks/e10492ae-c343-4cea-abdd-984a6c51902b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167382/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/38c72019-f433-4daf-bbc2-9e4827e30edb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/805605
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438012 Sample: LKpLx8L8q9.exe Startdate: 21/06/2021 Architecture: WINDOWS Score: 92 41 api.ip.sb 2->41 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected RedLine Stealer 2->59 61 Machine Learning detection for sample 2->61 11 LKpLx8L8q9.exe 7 2->11         started        signatures3 process4 signatures5 63 Contains functionality to register a low level keyboard hook 11->63 14 cmd.exe 1 11->14         started        process6 signatures7 65 Submitted sample is a known malware sample 14->65 67 Obfuscated command line found 14->67 69 Uses ping.exe to sleep 14->69 71 Uses ping.exe to check the status of other devices and networks 14->71 17 cmd.exe 3 14->17         started        20 conhost.exe 14->20         started        process8 signatures9 51 Obfuscated command line found 17->51 53 Uses ping.exe to sleep 17->53 22 Rugiada.exe.com 17->22         started        24 PING.EXE 1 17->24         started        27 findstr.exe 1 17->27         started        process10 dnsIp11 30 Rugiada.exe.com 1 22->30         started        43 127.0.0.1 unknown unknown 24->43 37 C:\Users\user\AppData\...\Rugiada.exe.com, Targa 27->37 dropped file12 process13 dnsIp14 45 VbAOQNrKNFoNGDfSPlVTPb.VbAOQNrKNFoNGDfSPlVTPb 30->45 39 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 30->39 dropped 47 Writes to foreign memory regions 30->47 49 Injects a PE file into a foreign processes 30->49 35 RegAsm.exe 2 30->35         started        file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a3650fe227cd9e83c05b6e009ce3e4a1504244ed5871cc3fe6a2183e085386a/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 20:32:12 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fi3fb7rcptm6qpafw3qattr6jikqijco2wdrzq76niqyhyefhbva._file
Verdict:
suspicious
Similar samples:
03110bdd6c0d0f027422de86d47ce39cfb8cae70c04a616cbb8c325c03853ef6
RedLineStealer
03c770bfc70f92e979e48b46b0604c3254796123e48af7d611017af862321bea
RedLineStealer
28f48693be094f941f42cf263e6089d9bff7631bebfe3b2082a94dbabf306e01
RedLineStealer
3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229
RedLineStealer
9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92
RedLineStealer
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
RedLineStealer
a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b
RedLineStealer
d0fddb170841c5252e6017afa8bce5e1abb61b8c0bf717744f9aa382dcdedad3
RedLineStealer
e31da697e1f30aca20cb88b09a69ed60bdbba9b3c4da0e67e2654ecb541964f2
RedLineStealer
f5a558eba4843612e1b2e7bbfb431932a94bdc86f9411c0529f4216bcfe0ef02
RedLineStealer
+ 269 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210621-z71qn33bbn/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
3f184a01c58f435e244621a20d7b0389df0da506b442961c14d785aafe06df88
MD5 hash:
acea5f3c84a1a0ef83c40f5b909db176
SHA1 hash:
2f02e5307d03aca0349ba0c2023d11dc7b1c6e7b
Link:
https://www.unpac.me/results/db448f2d-45fd-4e0b-8ba8-b941159ef2a9/
SH256 hash:
190e34457374b8d431bc7d265f7b698a316bd57c1b92ecb83ea2b27063d90862
MD5 hash:
d622ac0638ff4a9740293a099d930de2
SHA1 hash:
6a2203a98acfdc604484a4e8c0bdf5cf312430b5
Link:
https://www.unpac.me/results/db448f2d-45fd-4e0b-8ba8-b941159ef2a9/
SH256 hash:
2a3650fe227cd9e83c05b6e009ce3e4a1504244ed5871cc3fe6a2183e085386a
MD5 hash:
37ea12a8b28a3ee9f005e35d3b1adf57
SHA1 hash:
23da3e203279e4c559febc41b302619be4e40c48
Link:
https://www.unpac.me/results/db448f2d-45fd-4e0b-8ba8-b941159ef2a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a3650fe227cd9e83c05b6e009ce3e4a1504244ed5871cc3fe6a2183e085386a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167382/

Comments