MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f
SHA3-384 hash: 5d0407aad3dc73107552ef37b2e4c8cd8480da8119954007b9d0d60feed4840e8b419326156bda0ae7c3aacc9ff20de5
SHA1 hash: 8fda4b5d42ed10c6d1c7021e70498233b33713f0
MD5 hash: cf15fbdc9ee423a036182972c85601ad
humanhash: vegan-aspen-october-earth
File name:cf15fbdc9ee423a036182972c85601ad.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:395'776 bytes
First seen:2022-12-24 18:30:28 UTC
Last seen:2022-12-24 19:29:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 81084ac57f5d38e75d3a63cf80f4122a (5 x RedLineStealer)
ssdeep 12288:+RRMyUvkLk2zVcOjZh1rskSnQ4DJW0Wrf0S+n9dDuu788Xzwlrz2lB4ung2oonKo:+RWvr8B1skSnQ4DJW0Wrf0S+n9dDuu7D
Threatray 1'896 similar samples on MalwareBazaar
TLSH T190848CC37081847DD52D0EF58AB096A407E9263DCA26FEDF5BFF1E6B4E203AD811055A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
79.137.202.18:45218

Intelligence

File Origin
# of uploads :
3
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
cf15fbdc9ee423a036182972c85601ad.exe
Verdict:
Malicious activity
Analysis date:
2022-12-24 18:32:19 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5d8f93b5-2cca-4bfa-8b31-836eef4e54c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.22194.12250.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63a74568a5802d05b3debed9/reports/61babc33-28a8-4d86-bc75-7890e580c74f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/180cd796-234f-44d1-993d-9374566f8b63
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140538
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-24 18:31:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=geqtdemx25hvkzrhl7wvctjpzqybxorcy7dipfdeahe75lwsmz7q._file
Verdict:
malicious
Similar samples:
03ca2aaa9e5bbe7728bb69be32b347a12178e6376d5efbb7a7b0a228b70e5dcd
RedLineStealer
1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f
RedLineStealer
18b946d10fd3e8d8508fd47749aef1df080e2804b3457f2f4589da13065eaccf
RedLineStealer
217c469af3fe96773cf891fcdd050b71e8da6c29c55a2af173e80d265e444af2
RedLineStealer
3f44abd5b41ac34d032bdf07b2cc03fb5523f76d1a924d1929c55f77c1cf12a0
RedLineStealer
5b7fd8399f4d782bb4f08df3f4a04b3f580c8b64659c0de4c353b2c01bdb3db0
RedLineStealer
9b9f5db0898f6e2481402322ccfd48bead757e3c93aaccb744ab21e2af54dab9
RedLineStealer
c06c0fdae71a40e7b8a804d29cab262bc0802db87a9d2d6db4b193d405a0d020
RedLineStealer
d78f10d9f1fc9f184a8fb7ab10d1683a9857be12a81e504f2389edde9203ab5c
RedLineStealer
f863b2eaafe78bd61faf02eda91f00fafe397b7accd0817f03ce68a355d625f4
RedLineStealer
+ 1'886 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:11 infostealer spyware
Link:
https://tria.ge/reports/221224-w52hxaad52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
79.137.202.18:45218
Unpacked files
SH256 hash:
afd50f079bd873c5f389bf1a48f618ac97debc8f3e1856b9da204ea4f092af1a
MD5 hash:
55b837a7696044eda89bf237b37f37ce
SHA1 hash:
1e6c862f373fb90ee143bd68e7aca8079f1a7f24
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/16f7d1a4-821d-444d-84d1-347b82034af3/
Parent samples :
f863b2eaafe78bd61faf02eda91f00fafe397b7accd0817f03ce68a355d625f4
c06c0fdae71a40e7b8a804d29cab262bc0802db87a9d2d6db4b193d405a0d020
18b946d10fd3e8d8508fd47749aef1df080e2804b3457f2f4589da13065eaccf
1268e655f6de27245a9d7d1b5a8ef50484865fd9833078ecec2c46c3247c7c6f
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f
99b7396773e11d0a1d44f674310025344f2d8c9d2813d33e9bd7dd35ac5f2360
9a48ec1ff7995f724b479d97b0fd21fc0ee9c6c1598a39192ec677b648087602
13b8a421f7b03dc4ff1ab5a537dc120b89f1c1daacbbb2678ab323a9f5a56c47
7f11a927ac9742f5b53973e5a198044f52c11af540c028ba81bf1b93ecdff4f0
728d0c12a4883b351dab40bfa2881a0dc967f9ff598384050da6c43d0d9bb476
8e2e0590b0418adf88d487f37a49107538e7e2d243f165845852c3f7ece6a337
3ca4879853a8f13a89473cb07e7ae77ab830abbf0ea5e09b3f525c5810b153b9
321b7072a0ea33c36933b98b6523eaf4dead69a8e90dc032f8a4b10cfb835b1e
505509de0eccbd99559118cc90f42f5618c68827d963394afdef810c7fc3b2f1
f80b159cd3d099a3e40ff671e2544df562639dd0cda61709f9e367288140e414
SH256 hash:
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f
MD5 hash:
cf15fbdc9ee423a036182972c85601ad
SHA1 hash:
8fda4b5d42ed10c6d1c7021e70498233b33713f0
Link:
https://www.unpac.me/results/16f7d1a4-821d-444d-84d1-347b82034af3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3121319197d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2485089/
  
Delivery method
Distributed via web download

Comments