MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3368b737bc6f1891331e6d835edab190fdaba0faec69f18d3823f575ac860898. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	3368b737bc6f1891331e6d835edab190fdaba0faec69f18d3823f575ac860898
SHA3-384 hash:	af142848146e3efaca332162e3ec73c38535bc99eb1c82f7eb3a142a5bb1dfa04d2b08dc317058e22cd7ce9b27a68085
SHA1 hash:	3580ddb36bd6eec0564ed9b9a07e681a3c27b755
MD5 hash:	aab3f610c9f0124b419202110e97e19c
humanhash:	maine-iowa-william-carolina
File name:	3368b737bc6f1891331e6d835edab190fdaba0faec69f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	285'184 bytes
First seen:	2021-07-12 13:40:37 UTC
Last seen:	2021-07-12 14:49:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	87013b0668ec7416f29f05f8b35fc5db (1 x Gozi, 1 x RedLineStealer)
ssdeep	6144:g/9j/nE+vm+i1wLT5dLCUuIWBr4JlL9lEM1Dl:g/9DE9+i1wviD30TEM
Threatray	1'224 similar samples on MalwareBazaar
TLSH	T18154DF2076B0D433E2A315B15474C7B05A3BB9722B31A54F26531F9F2F322D27AA9387
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.209.28.5:15027

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.209.28.5:15027	https://threatfox.abuse.ch/ioc/159761/

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

97f751d8e067a8ff661e6f4cb0eb7cd3033abdb89d5e87e50581e011ff4f4144

Verdict:

Malicious activity

Analysis date:

2021-07-12 11:03:03 UTC

Tags:

evasion trojan loader rat redline stealer phishing vidar

Link:

https://app.any.run/tasks/da500ae2-76cd-4405-9a49-5cef7623cb86

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/171117/

Detection(s):

SecuriteInfo.com.Variant.Zusy.392854.1272.22703.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0f8a4e88-b6d5-467d-90fe-f88d367da898

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/814947

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3368b737bc6f1891331e6d835edab190fdaba0faec69f18d3823f575ac860898/

Threat name:

Win32.Trojan.Hynamer

Status:

Malicious

First seen:

2021-07-12 13:41:12 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gnulon54n4mjcmy6nwbv5wvrsd62xih25ru7ddjyep2xllegbcma._file

Verdict:

malicious

RedLineStealer

326c2c9f4f724fb74c0d826aaa93c3c86140a26bd2c0f27a37407ac1dbdc7c59

RedLineStealer

3557b514f9eada3659219bc4c1401d074f814ba82bf137ba0671fec66078d534

RedLineStealer

76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93

RedLineStealer

87e1e8b1fb643ea3665a8d6994bf5f7f9b48ce07218ef488d49f95142eac0eaa

RedLineStealer

b138c67994648f1784c8263e0af703662e2bd8e55d9d8a1189dcf243f2bff657

RedLineStealer

b6255ccb6a0c4843452827ec54f6f041a3285f3042668d1ba4f7593f733d420f

RedLineStealer

bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222

RedLineStealer

ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5

RedLineStealer

e10f5bc4cb6610bd2aee334a581f2a9872b16c830bdce2f67ffe3cf57bf0b065

RedLineStealer

+ 1'214 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210712-lznsd7xkv2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.209.28.5:15027

Unpacked files

SH256 hash:

be99b8f2d5e4f713cabebeaa35737c1858f7fd25efc05109bf728d6071068395

MD5 hash:

7e653d00eabf4d633d89cd8c1f6bcd02

SHA1 hash:

e97c7603dc7fb9be572e16b030be5d0ae7d8dc02

Link:

https://www.unpac.me/results/31dbd984-4584-45fa-a90b-e55e196eb2eb/

SH256 hash:

15e8865072847ec5280ab619029e86e2a04f2d1cb1110637758fe05f448de940

MD5 hash:

9ed555c29fdadbab4c38668587544a64

SHA1 hash:

9bb1244087d895e8cf91c261c74ad458ae945e80

Link:

https://www.unpac.me/results/31dbd984-4584-45fa-a90b-e55e196eb2eb/

SH256 hash:

579a8fd73f116964c1a439c810c638a8b09169ae63f0cb73c5ef138da412c1fb

MD5 hash:

64448729142774152021c1444ad28957

SHA1 hash:

51e5693b046ddbbd61da0301a56d6eb0c5096bf5

Link:

https://www.unpac.me/results/31dbd984-4584-45fa-a90b-e55e196eb2eb/

SH256 hash:

3368b737bc6f1891331e6d835edab190fdaba0faec69f18d3823f575ac860898

MD5 hash:

aab3f610c9f0124b419202110e97e19c

SHA1 hash:

3580ddb36bd6eec0564ed9b9a07e681a3c27b755

Link:

https://www.unpac.me/results/31dbd984-4584-45fa-a90b-e55e196eb2eb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3368b737bc6f1891331e6d835edab190fdaba0faec69f18d3823f575ac860898

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171117/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample