MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
SHA3-384 hash: bc7bc589a2f81eba9be0e2e1bc64d3a3646a15b8a8bf9c28e08fb5b9ec338a9b0e37ae675a4798d675a08991aa763098
SHA1 hash: a2354fb83428526ae0182703443742fb043844bf
MD5 hash: 039b70810893e781f67f04d80afb474e
humanhash: two-venus-snake-california
File name:039b70810893e781f67f04d80afb474e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:342'528 bytes
First seen:2022-12-20 19:38:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0138026f27a8120abebbb5ad66a72bf2 (8 x Smoke Loader, 5 x Tofsee, 3 x RedLineStealer)
ssdeep 6144:nHLGp+jGcOWHd3PfswnFeKSPO8vRDJ91xX49V4I1SQlCa:nH6pxA98wSLJtxXuVzZX
Threatray 12'416 similar samples on MalwareBazaar
TLSH T1CA74E1703A909175C2A315364C15D7A4EE29BC1BFE24463322E7FE2FAE713D0D65A389
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acedecee6eaee (119 x Smoke Loader, 44 x Amadey, 41 x Tofsee)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
039b70810893e781f67f04d80afb474e
Verdict:
Malicious activity
Analysis date:
2022-12-20 19:41:43 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/1808f5fd-3cd7-476b-8084-22889d37b7a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/348494/
Detection(s):
Win.Packed.Pwsx-9980703-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm azorult greyware lockbit packed
Link:
https://www.filescan.io/uploads/63a20f58e401a0f925fe3290/reports/d2b2f1ea-18c6-4a04-949c-0f1a9faac5da/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6b6d5bf-0ae0-4143-b06b-046485ad1ea5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1138207
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19/
Threat name:
Win32.Trojan.RaStealer
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 19:37:52 UTC
File Type:
PE (Exe)
Extracted files:
59
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfnepyoj5a4dak6r56ugt4aq36xayyov7jjuspjmucb37d5ftumq._file
Verdict:
malicious
Similar samples:
5b6939d654df48fbd42bcf7f6895ff9fc500937d66101a5ee26c60936a628c36
RedLineStealer
63987dfe19ad3a29c6b0c4af6101918ee849128b387dacf88e2a79f7e027a109
RedLineStealer
6e3d680e4fb46b2dd85199adf34027182194476a73cb8900857ec3119d3a6224
RedLineStealer
83c9b03b8c8eaaceeaa9e533f3739dc4fbf6fc6765a16a5f148b9fd300fa4f5d
RedLineStealer
bd3c521354c5d4a26cb7e9491fcbf31e7f1a8b04b6461dde4125857ad354a822
RedLineStealer
c3f645b7080285e3ecc3af56997291f5fb0a71226228ed6383d93d1d2c88b998
RedLineStealer
d4c6994139ee7f5f5d350961e790a3ef6ac12ff616e3b7250d5e20645b7d3bd0
RedLineStealer
de391649878b1eb9c9e25c07774553e6dd8f63200d5bb536e12b61ee2f9ecffa
RedLineStealer
ecb11fb7674c43e67de8b277d8fe7ee84e53a609e43b6c5f9d74ccf4d3ad0484
RedLineStealer
ecdbfd180350ff6bb51400dafc6cef118adffe573b4ac62c6f1cca508846ea88
RedLineStealer
+ 12'406 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:trud discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221220-ycymnaag99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
65f75c671b35cbde3bc6a355f88bf821f74c8a082c9744480a59bbd72defe0c7
MD5 hash:
1904c9b0a20ab75b269c4a8f7d30dacc
SHA1 hash:
c1aecaaf9ff915be2950fcdaa149dc773d349630
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f6f5141f-8cfc-4d38-bbd5-b4e0c674788d/
Parent samples :
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
1fc1cd4294d1ada2d5b9749125ac1c8fff4fd65d25b59ea9590e9f8545a02f77
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
6efb2e32950265ab4042fc55e79f9791940bd1e228ab626193a6aef2f8ac937d
777e65e00628ae01a5be7027d471bae921525620493656033d2823eb9c275ff5
ae2b1fc1616ef5f45b445f766f8bef9cfa464b41f3319b05b2d48c0e8b73f7e7
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
140f3aa7c2db1fd5335dbe01511bc09e4f90d79ad8af94b2f04cda775f3d8c70
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SH256 hash:
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
MD5 hash:
078f90abfc1dddd108adcb85761689d0
SHA1 hash:
51a86a74c011e0a6813b0058104f6b21765ed99c
Link:
https://www.unpac.me/results/f6f5141f-8cfc-4d38-bbd5-b4e0c674788d/
SH256 hash:
a714830b23ef52a2529880c8e9a377e56dde10f7cddc4083a02cb6e6a932abe2
MD5 hash:
6fe9fc0e7c5ad24c8ace861f0e514001
SHA1 hash:
0e9ecc9f6687954e9f6f0b8d331a77d8cf9108ea
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/f6f5141f-8cfc-4d38-bbd5-b4e0c674788d/
Parent samples :
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
1fc1cd4294d1ada2d5b9749125ac1c8fff4fd65d25b59ea9590e9f8545a02f77
6efb2e32950265ab4042fc55e79f9791940bd1e228ab626193a6aef2f8ac937d
777e65e00628ae01a5be7027d471bae921525620493656033d2823eb9c275ff5
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SH256 hash:
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
MD5 hash:
039b70810893e781f67f04d80afb474e
SHA1 hash:
a2354fb83428526ae0182703443742fb043844bf
Link:
https://www.unpac.me/results/f6f5141f-8cfc-4d38-bbd5-b4e0c674788d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/315a47e1c9e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/348494/

Comments


Avatar
zbet commented on 2022-12-20 19:38:55 UTC

url : hxxp://31.41.244.228/true/trud.exe