MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3390d876a4ce21da79830b42ac027e7c078a313547f6717fc0741a25926b40bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments 1

SHA256 hash:	3390d876a4ce21da79830b42ac027e7c078a313547f6717fc0741a25926b40bf
SHA3-384 hash:	66bf1a328d81ae316438454a8b45a28b9db84d46069e641e4c8d685fae0c10d91cc22b192e9e120480824921d539ca64
SHA1 hash:	8fa044999029d2285bd90a72010e5dd78706d630
MD5 hash:	9dccca554530f559bc85f0e52d86c49e
humanhash:	nineteen-carbon-early-mississippi
File name:	9dccca554530f559bc85f0e52d86c49e
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	726'016 bytes
First seen:	2021-11-05 22:47:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9e4746628ebaf71569a51552a1011d76 (6 x RedLineStealer, 3 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	12288:ZNH/wu0Xa2Bbwrk+OoP7xD9wLpLcsZxyvd9cpsjVCyuVoNzpnRQsr58CBrcjmRGn:jH4ja28R5dytckYasRCUpnR5vrcjmQCY
Threatray	816 similar samples on MalwareBazaar
TLSH	T127F4F140B7E1C039F1B212F8797593B8713A7DA1AB6481CF12D53AEA4A74AE0ED70717
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/202843/

Detection(s):

SecuriteInfo.com.Variant.Fugrafa.194388.18108.32432.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lockbit packed

Link:

https://www.filescan.io/uploads/6185b4a5c03a81a502431ac0/reports/bdf44b56-5d4e-4b35-ad1d-f141dd07849b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ac21e38c-d6d3-4a74-95e4-0109f648a112

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3390d876a4ce21da79830b42ac027e7c078a313547f6717fc0741a25926b40bf/

Threat name:

Win32.Trojan.Phonzy

Status:

Malicious

First seen:

2021-11-05 22:48:07 UTC

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=goinq5vezyq5u6mdbnbkyat6pqdyumjvi73hc76aoqncletlic7q._file

Verdict:

malicious

Label(s):

asyncrat

RedLineStealer

1e4d22b644db33118955f64d7dc91e61696dbdff24760fda12c33c3289e2215a

RedLineStealer

3e503d31e990d9452c5f5ee146e7f83f46df6b034563f8a6d10959de7b43ae78

RedLineStealer

4955fdfd3badd730cd26c71a8804d57a38310b8cd1981397c00db1ea24e14507

RedLineStealer

63d9527d69c228772ebadb63c1e74d7d0702acac52357fcea08ec5a408ca0453

RedLineStealer

679edb212554b93cab86d093150f288010f0b0a71d813f23461ddc1bb8151b13

RedLineStealer

863ffe4f5f345bedf85854875b10c19fcd8d951562eab07a0b5dc9e892abb4bf

RedLineStealer

a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c

RedLineStealer

a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce

RedLineStealer

d8271e3a38ba916aa701c5b4cb01eb75abface3d401e604248434d7f79ffaad0

RedLineStealer

+ 806 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:06.11 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/211105-2q4bvaabel/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

185.215.113.17:7700

Unpacked files

SH256 hash:

3cfbdce8039a6bd7e9abbdeeb8c9cb2c34420687ba9706cbf3ac0045b200c739

MD5 hash:

2b25c3a86c92b895eefbc17dfca55d62

SHA1 hash:

cb55e649f4be7426b1d853ff73d81218a4ce6390

Link:

https://www.unpac.me/results/cc1f8034-e46a-4f81-ab5b-44a56e16c405/

SH256 hash:

3390d876a4ce21da79830b42ac027e7c078a313547f6717fc0741a25926b40bf

MD5 hash:

9dccca554530f559bc85f0e52d86c49e

SHA1 hash:

8fa044999029d2285bd90a72010e5dd78706d630

Link:

https://www.unpac.me/results/cc1f8034-e46a-4f81-ab5b-44a56e16c405/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3390d876a4ce21da79830b42ac027e7c078a313547f6717fc0741a25926b40bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer