MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33007d8dcee962264e734fd5b8efec03a985193f463eb6b2641ea0200596f826. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	33007d8dcee962264e734fd5b8efec03a985193f463eb6b2641ea0200596f826
SHA3-384 hash:	7f010be8bfadc17818eaa0d399f1044d986242b4593a0103af0a800ef5f16c752ffae6dcec1dab70b3f4ff5da7ff48f5
SHA1 hash:	e2f08129bbbf2dd295e905f53e3d18800f79feaf
MD5 hash:	c9d38a734f9ce6bef5d015e2df01d2e4
humanhash:	nuts-carbon-lamp-quiet
File name:	c9d38a734f9ce6bef5d015e2df01d2e4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	69'120 bytes
First seen:	2022-03-23 09:02:44 UTC
Last seen:	2022-03-25 07:04:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d5d9d937853db8b666bd4b525813d7bd (40 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep	1536:A3kmlMm8DM/h9oliPwP+BPX13wjSyASZWAXyMX2ru0hhGt:A0mlMLmAiK+VXxEFuu0hot
TLSH	T1F26302D7BD666D57E81E3F79FE304CB34F6032DC872086865B054AC482F9A5BC4646A8
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
62.182.156.185:48571

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
62.182.156.185:48571	https://threatfox.abuse.ch/ioc/441616/

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-03-22 01:45:48 UTC

Tags:

evasion trojan socelars stealer loader rat redline vidar opendir ransomware stop

Link:

https://app.any.run/tasks/1703bca6-d4f2-4e98-92ee-e320ca5dfe65

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/255996/

Detection(s):

Win.Trojan.Poison-8692

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Enabling the 'hidden' option for files in the %temp% directory

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Unauthorized injection to a recently created process

Stealing user critical data

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10762/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed shell32.dll

Link:

https://www.filescan.io/uploads/623ae269dfdfa8501cd241e0/reports/77d2f46c-1530-42c5-9a68-3216231df4e2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/030b2845-8303-4407-ac56-063777694560

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962718

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/33007d8dcee962264e734fd5b8efec03a985193f463eb6b2641ea0200596f826/

Threat name:

Win32.Trojan.VBinder

Status:

Malicious

First seen:

2022-03-21 23:48:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

37 of 42 (88.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gmah3doo5frcmtttj7k3r37maouykgj7iy7lnmted2qcabmw7ata._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220323-kz54csfedq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Unpacked files

SH256 hash:

33007d8dcee962264e734fd5b8efec03a985193f463eb6b2641ea0200596f826

MD5 hash:

c9d38a734f9ce6bef5d015e2df01d2e4

SHA1 hash:

e2f08129bbbf2dd295e905f53e3d18800f79feaf

Link:

https://www.unpac.me/results/df84fa83-97fe-415c-a70b-d6224593008a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/33007d8dcee9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/33007d8dcee962264e734fd5b8efec03a985193f463eb6b2641ea0200596f826

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 33007d8dcee962264e734fd5b8efec03a985193f463eb6b2641ea0200596f826

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2111777/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/255996/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample