MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141
SHA3-384 hash: 02f64c4285028c3156c03748f54e5cf1fddc1bab9504cb1556697417b56ec860875dabc02fce9316f2bd29a162ee386b
SHA1 hash: 4a2ddbdb8334e0c6aaf41a6bf7f4f0fee4f5ff9f
MD5 hash: cd8e811de64b5ac8fd4fdbc0aef185b8
humanhash: venus-texas-dakota-tennis
File name:cd8e811de64b5ac8fd4fdbc0aef185b8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'374'176 bytes
First seen:2022-10-25 22:05:46 UTC
Last seen:2022-10-25 23:25:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 86a57157b67d49dc635f7a3341cdcdfd (1 x RedLineStealer)
ssdeep 24576:IVo7uE0Oab8xook2OoYQYzzK52QbgWC3yNaarmNZS8hDpAj+5ugpUPiSrcw84obs:WMOJAfPVvtTeRdZEHQJfQuB
Threatray 43 similar samples on MalwareBazaar
TLSH T185558E32F2824937D1632B749C1B9299E925BF242B6864877FE45D0C9F396D3392C2C7
TrID 23.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
22.0% (.SCR) Windows screen saver (13101/52/3)
16.8% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
11.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
82.115.223.56:39447

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
82.115.223.56:39447 https://threatfox.abuse.ch/ioc/872213/

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
ExoticFN Hack v19.05.bin
Verdict:
Malicious activity
Analysis date:
2022-10-11 06:22:00 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/0df07945-0f35-47fb-8fb5-198dc2f265f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324131/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62688802.8147.9227.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/186662a1-b84e-47e2-b736-3772791c4a8d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097918
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 09:30:02 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=geb37y3igaupky3l5xc57mlf6z5qbsyi7j6x23ilyarkfahhwfaq._file
Verdict:
malicious
Similar samples:
21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421
RedLineStealer
23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
RedLineStealer
57edb17976437e8a4d8ccfa21d83fdfcc3ccfb6077482bf2138b4553f6922afc
RedLineStealer
727be5cee6ca4efd8b66e94850461d4d1aab5757d8530d69596b2bd1967790a0
RedLineStealer
888b5e39aafdf0f8db93b08e9e6dfc59430c54d1c7ca844f626645e00101ac32
RedLineStealer
cb3df9a9c73428751b722ae2dfbce2d04b46125d6aa5f69164e73f0f25ccfc8c
RedLineStealer
+ 33 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@twister discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221025-1z2zpseaeq/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
82.115.223.56:39447
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6876ae14-9802-4240-9ad0-d7a224f55b50
Unpacked files
SH256 hash:
3570fea89662d2386bb59f6db89788e72f18f207d848921a8d42383277963dd1
MD5 hash:
b952d64bb42e7f6db0d6376826cdcb33
SHA1 hash:
b65947617d68b75496e06bddd0453efc2b7af2e3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7168995e-02b2-4526-9b87-94c3fd29730c/
SH256 hash:
3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141
MD5 hash:
cd8e811de64b5ac8fd4fdbc0aef185b8
SHA1 hash:
4a2ddbdb8334e0c6aaf41a6bf7f4f0fee4f5ff9f
Link:
https://www.unpac.me/results/7168995e-02b2-4526-9b87-94c3fd29730c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3103bfe3683028f5636bedc5dfb165f67b00cb08fa7d7d6d0bc022a280e7b141

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324131/

Comments