MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3040057cc1f85077391462ead4d3fb8a08f4fe3ed92b1bde1d00b9b3f1e6eb47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	3040057cc1f85077391462ead4d3fb8a08f4fe3ed92b1bde1d00b9b3f1e6eb47
SHA3-384 hash:	6e6ab8faaad5a67efb5d14b178e6a5843f2b9b3be2206112e5ce0b48855a89a10d333746625288a09a17ce9717852eee
SHA1 hash:	b2b49b24b8fe57fc2947883b534d84431db2112b
MD5 hash:	b563f0cdb7c0e3029f48d990cd9aa547
humanhash:	blossom-stairway-asparagus-paris
File name:	b563f0cdb7c0e3029f48d990cd9aa547.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'457'932 bytes
First seen:	2022-07-09 05:40:24 UTC
Last seen:	2022-07-09 06:40:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fddbf4f40192bc43bc922f721e72df6c (5 x RedLineStealer, 1 x Formbook)
ssdeep	24576:SnPoYHYYrrQKBMBQkPylilVVW2Lj2hzaY40U/W4fLP3Ql3RuQ55313o:SnXCQGE2v2huY40U/W4fjAl3C
TLSH	T1C1B50A039ACB0E75DDD23BB4618B633AA734FD30CA2A9B7FF609C53559532C4681A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
62.204.41.144:14096

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
62.204.41.144:14096	https://threatfox.abuse.ch/ioc/821303/

Intelligence

File Origin

# of uploads :

# of downloads :

383

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/285753/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.32450.6794.5837.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/24717/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug formbook overlay packed redline spyeye

Link:

https://www.filescan.io/uploads/62c9152cdd037e27033ab981/reports/af430901-d2ef-43e8-ab37-d93d9bb0aaa0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Certishell

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/464b9bf5-7292-4795-9804-e931253e8cc6

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1027656

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3040057cc1f85077391462ead4d3fb8a08f4fe3ed92b1bde1d00b9b3f1e6eb47/

Threat name:

Win32.Trojan.RedlineStealer

Status:

Malicious

First seen:

2022-07-04 10:13:00 UTC

File Type:

PE (Exe)

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gbaak7gb7bihooiumlvnju73riepj7r63evrxxq5ac43h4pg5ndq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@biax1337 evasion infostealer spyware suricata trojan

Link:

https://tria.ge/reports/220709-gdfd2aegc9/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

RedLine payload

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

62.204.41.144:14096

Unpacked files

SH256 hash:

1a048b9afd77109616d0064cbd94601e9d7f70fac55a2dc688b9340132b7279b

MD5 hash:

b6ba4ef97ba262a7282c43884850583a

SHA1 hash:

4861b7a0ca01a093cf21618f3a8b8673de9ab3c3

Link:

https://www.unpac.me/results/36f3f348-0b4f-4c23-b533-762bdb73979a/

SH256 hash:

3040057cc1f85077391462ead4d3fb8a08f4fe3ed92b1bde1d00b9b3f1e6eb47

MD5 hash:

b563f0cdb7c0e3029f48d990cd9aa547

SHA1 hash:

b2b49b24b8fe57fc2947883b534d84431db2112b

Link:

https://www.unpac.me/results/36f3f348-0b4f-4c23-b533-762bdb73979a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3040057cc1f8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3040057cc1f85077391462ead4d3fb8a08f4fe3ed92b1bde1d00b9b3f1e6eb47

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/285753/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample