MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 317a7f6ecf0ce206b2548766aa20ec3c4b0838006ac5c759d89ccf91979a3dc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 317a7f6ecf0ce206b2548766aa20ec3c4b0838006ac5c759d89ccf91979a3dc7
SHA3-384 hash: 9e8a0956f287e612ed050db15525b65fe2edb2646c86cecb2e4399d6a6c30bb6d75d5aff3d3365bda38c54e738908c51
SHA1 hash: f3fcb147629ca8ca4679cb746ada8da5cc9851a6
MD5 hash: 33ea2b082f00f0d1534ba4af9006849c
humanhash: louisiana-high-florida-victor
File name:33ea2b082f00f0d1534ba4af9006849c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:337'408 bytes
First seen:2022-06-11 16:31:26 UTC
Last seen:2022-06-11 17:51:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 008ea152f1f3887c2cd01bb02eebf266 (1 x Smoke Loader, 1 x RedLineStealer)
ssdeep 6144:YPjObIg5sYW20PeFcYyeDCf+EP29YIGJm9MPe:Yy0rY9ajemf3IGJE
Threatray 3'885 similar samples on MalwareBazaar
TLSH T14774F151B3A2C973D49759305871D7124FBB351127300A8FABA8277E9FEC3809ABD35A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5c59da3ce0c1c850 (36 x Stop, 33 x Smoke Loader, 26 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
33ea2b082f00f0d1534ba4af9006849c
Verdict:
Malicious activity
Analysis date:
2022-06-11 16:39:08 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/de9b0eb2-3292-4ace-8b95-1ade542eede3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278932/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.21853.16223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/20695/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypter greyware lockbit packed ransomware virus
Link:
https://www.filescan.io/uploads/62a4c3648763ffd4adb48d0c/reports/04b604db-cd32-4c09-bf49-1192ce8c1eea/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17f23c44-c7f8-47fd-8aea-e28b636736f9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1011402
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/317a7f6ecf0ce206b2548766aa20ec3c4b0838006ac5c759d89ccf91979a3dc7/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-11 16:28:47 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 41 (43.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gf5h63wpbtranmsuq5tkuihmhrfqqoaanlc4owoytthzdf42hxdq._file
Verdict:
malicious
Similar samples:
21e6bcb2f60daa0e97c0aa6cbe59125ab843fdd08a3ed29a7231fa460eab8f33
RedLineStealer
88a8b456d499c656577189e9a9f348f15c1469ee459c05dcf2b383bad44b89c9
RedLineStealer
a54f73244c237c8978e4fe95c07361b177b5cc231ac6fbb630008fab8b9e17f6
RedLineStealer
b79037b76c1503954797d791368597aca92908cb9ee809b2e2122ed8a04531e1
RedLineStealer
bfd91a316ca48f2a35cf9551e66a1edc5755c4859a3f12a67080e9fbfa80bd9d
RedLineStealer
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
RedLineStealer
e67b3d08f492ddbbf8a5695251e999a0ccd69ab5a61cb4135b41223a7adea2af
RedLineStealer
+ 3'875 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:unikalno discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220611-t1x9kscbg3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.233.48.58:43014
Unpacked files
SH256 hash:
881234eff8f61ae71692d59172a1bc26a40b3da7030046e909b63b619f8340ef
MD5 hash:
07d8fe705e2bccefb056669fc96a1654
SHA1 hash:
d02ba122d60465e8031ba5d1deb1d3075c2fceaa
Link:
https://www.unpac.me/results/81448937-eb9a-47e1-8864-f1e04353874f/
SH256 hash:
3368355655b5f5c91b265c66cd73f66091c08e656686102f7831384d89310380
MD5 hash:
ea686363d88e796528eceb716303e421
SHA1 hash:
3f6b344301188aacf37b75ec087862b5db8247b3
Link:
https://www.unpac.me/results/81448937-eb9a-47e1-8864-f1e04353874f/
SH256 hash:
aa9b295d90d50a654661869c763ec71d52106f6e9008a65c5f70f32402a89f45
MD5 hash:
bb8a453dd9eb3083f6144bf7b95effc4
SHA1 hash:
30a7939beec821a304cc2ac441f13eb2e2c85b43
Link:
https://www.unpac.me/results/81448937-eb9a-47e1-8864-f1e04353874f/
SH256 hash:
317a7f6ecf0ce206b2548766aa20ec3c4b0838006ac5c759d89ccf91979a3dc7
MD5 hash:
33ea2b082f00f0d1534ba4af9006849c
SHA1 hash:
f3fcb147629ca8ca4679cb746ada8da5cc9851a6
Link:
https://www.unpac.me/results/81448937-eb9a-47e1-8864-f1e04353874f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/317a7f6ecf0ce206b2548766aa20ec3c4b0838006ac5c759d89ccf91979a3dc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 317a7f6ecf0ce206b2548766aa20ec3c4b0838006ac5c759d89ccf91979a3dc7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/278932/

Comments


Avatar
zbet commented on 2022-06-11 16:31:35 UTC

url : hxxp://kfcburgers.com/burger.exe