MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b
SHA3-384 hash: 09e71a678933beb9ee71f44fa9542ec6ec94f7c9d6d5b2d94fe57f8a381aafe4efa3e1908b26729d713826304e8aaee1
SHA1 hash: 59b79b81155927260c7e5c73c1505b7ff820fcd7
MD5 hash: 2d046356adc419adef4049f5ec0529fa
humanhash: lima-romeo-illinois-ohio
File name:2d046356adc419adef4049f5ec0529fa.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'334'272 bytes
First seen:2023-02-26 06:34:43 UTC
Last seen:2023-08-27 08:55:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:FfEZRk+1BmMN+wkQZVhtMOb7UlyPeNks08yfcadLetM7ckAx:Ff3IcMNHRLF4yP8k+y5UYnc
Threatray 575 similar samples on MalwareBazaar
TLSH T18B55339606B468FBCBDA13B19D6ED26DF132BDF9C4DBC209458759C5A2D024033363EA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
2d046356adc419adef4049f5ec0529fa.exe
Verdict:
Malicious activity
Analysis date:
2023-02-26 06:37:12 UTC
Tags:
redline
Link:
https://app.any.run/tasks/3b23e78f-0d40-4ed2-bf84-b955526556ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369765/
Detection(s):
SecuriteInfo.com.Variant.Lazy.292535.29739.7490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Sending a custom TCP request
Query of malicious DNS domain
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer obfuscated packed
Link:
https://www.filescan.io/uploads/63fafd98874679b6f447a80a/reports/c97bec6f-f90b-4d79-83ed-b4546a2836a0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e306c3e-43d3-4456-b4a0-89baa8700d3d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182514
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b/
Threat name:
ByteCode-MSIL.Downloader.PureCrypter
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 08:20:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 25 (92.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghshpi3tft2ng553xcofuwrxmpnn2nmbzydvgs5u7rko7okrqi5q._file
Verdict:
malicious
Similar samples:
03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
RedLineStealer
46962910101f24cea5430b64f9ff9830585a94824b8835c452c36e2db74ed033
RedLineStealer
8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc
RedLineStealer
866940bb59a32647c96466349066246b172adb7a5010678241be3e9663b1d637
RedLineStealer
a05759a606f754ea7315225ccd542774734962fc343d43cc9607db110e7956ee
RedLineStealer
cda5ced44ec0c2e58d0f38f9fa63a87364cf9cebcd2d0e1a11626a8bb694703a
RedLineStealer
d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944
RedLineStealer
ebb2dcf0d743e210a391d665b4589e3a0e41189ed1b21fcacc8c14caf13b1ce6
RedLineStealer
+ 565 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:purecrypter family:redline botnet:z2k downloader infostealer loader
Link:
https://tria.ge/reports/230226-hcb6nafh41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detect PureCrypter injector
PureCrypter
RedLine
Malware Config
C2 Extraction:
amrican-sport-live-stream.cc:4581
Unpacked files
SH256 hash:
0c3eb22b436fc5416bb24f257dd58e83ef094d20ba70da0a79134d3294f35c53
MD5 hash:
daad0be2d4a3d4f92fdb271c5e43c924
SHA1 hash:
1d90902ee9e352c931d7855a036efb92251a6112
Link:
https://www.unpac.me/results/0e848e2d-17e7-4796-aa46-ffc79f5fbbcd/
SH256 hash:
31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b
MD5 hash:
2d046356adc419adef4049f5ec0529fa
SHA1 hash:
59b79b81155927260c7e5c73c1505b7ff820fcd7
Link:
https://www.unpac.me/results/0e848e2d-17e7-4796-aa46-ffc79f5fbbcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/369765/
  
URLhaus
https://urlhaus.abuse.ch/url/2550872/
  
Delivery method
Distributed via web download

Comments