MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33aa911e5bb98ff8e1bf00f95d2106e043beae64a6fc8321ccae03bcf0969515. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33aa911e5bb98ff8e1bf00f95d2106e043beae64a6fc8321ccae03bcf0969515
SHA3-384 hash: 579c1f50a8a93d00e50226dece7eb6eae86da8f1868b4542ad809f3f8235b662a00bb22bedbc214a4fb0cbdcda3b603f
SHA1 hash: e083b506042b2a2886d8e102d969d164b229ad11
MD5 hash: c0c9e9f46188886555479979980c56b6
humanhash: march-eleven-south-eight
File name:SecuriteInfo.com.Trojan.PWS.Siggen3.13005.23738.22414
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:567'808 bytes
First seen:2022-03-21 18:14:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:2EryAvpFnMrSbXXL8ledc0pxZ9ThQS03ULaHNqrxlKIQNoQfdHcmTpLhb:/y2pFnMObXX319ThkEaHNYK3hcmTFhb
Threatray 1'801 similar samples on MalwareBazaar
TLSH T188C423CBFF85ED9DD2CF89FED0253A45925BFA16E5E8705BE0AEA7C31B290929100054
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253747/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Siggen3.13005.23738.22414.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Sending a custom TCP request
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6238c0c6dfdfa8501cc827e4/reports/c1cc5982-c00a-4feb-9fb9-d047608bb6c3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16cd8e2d-4ece-4b4c-b282-7fc6bd21fa33
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961153
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33aa911e5bb98ff8e1bf00f95d2106e043beae64a6fc8321ccae03bcf0969515/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-18 21:41:36 UTC
File Type:
PE (Exe)
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=govjchs3xgh7ryn7ad4v2iig4bb35lteu36igiomvyb3z4ewsukq._file
Verdict:
malicious
Similar samples:
2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527
RedLineStealer
381517605def58f63a5aabe969f824b399e16c952042d3d549bf4a276d433eb5
RedLineStealer
4b53dc815775a5f6d377218f9bee6b102d49f5dfc678f5a939ec2e0be0890e4b
RedLineStealer
59131e55898be4de6efa846f46a69f71e7ab941e6b0e3f6fc01b80693d68ea44
RedLineStealer
6b70b5494393d3644de4dd90ae5a906407175daea6ee97c0419997e99b4cdfd0
RedLineStealer
80cdfc120b7824e7cb5b34fc9ab1b6b43b84dfb435fd8f3e681ad4ae0ebd41de
RedLineStealer
9505b90393d8e04ab1c4a2921f9cda3c857bb7ce6b2bd5458e0424e8df63cc0f
RedLineStealer
9f6e71649662dd86ed3b65a8d20ad8c21971cb8087d14eeb34449f04b573b737
RedLineStealer
b50d346307ef27c92bf6e5fda61bf060e00ab50119b50facb34cad30747f7c8e
RedLineStealer
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b
RedLineStealer
+ 1'791 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220321-wvx3qsdde5/
Behaviour
Program crash
Unpacked files
SH256 hash:
9e4fe75563b6df7e03df02f45294e99bf8eaedd7448c46d28445acdff430e3da
MD5 hash:
42db51425cc400dd2127a799a5cd4881
SHA1 hash:
2fe7b98d1442a8d1eea57132a5faf9200efc00ac
Link:
https://www.unpac.me/results/2c5768e0-f01a-4fe2-9a54-2f59854dcb68/
SH256 hash:
3d4d9a4f1532e8a2667b3d10c410b752b58ac2e39f0545f88d5a9d7932c495d8
MD5 hash:
eb23ded6ce012f7560ed8aebe406bb15
SHA1 hash:
6451611721487e3dedbd4d2fe36f2d827f3dd656
Link:
https://www.unpac.me/results/2c5768e0-f01a-4fe2-9a54-2f59854dcb68/
SH256 hash:
33aa911e5bb98ff8e1bf00f95d2106e043beae64a6fc8321ccae03bcf0969515
MD5 hash:
c0c9e9f46188886555479979980c56b6
SHA1 hash:
e083b506042b2a2886d8e102d969d164b229ad11
Link:
https://www.unpac.me/results/2c5768e0-f01a-4fe2-9a54-2f59854dcb68/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/33aa911e5bb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33aa911e5bb98ff8e1bf00f95d2106e043beae64a6fc8321ccae03bcf0969515

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 33aa911e5bb98ff8e1bf00f95d2106e043beae64a6fc8321ccae03bcf0969515

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/253747/
  
URLhaus
https://urlhaus.abuse.ch/url/2109378/
  
Delivery method
Distributed via web download

Comments