MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33b95d37a5798d22164b77968c99f8d0c1925aad08daa0f200a365f87353f160. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33b95d37a5798d22164b77968c99f8d0c1925aad08daa0f200a365f87353f160
SHA3-384 hash: dd3c921592f6030441942e5de1ef4c5c8cb4662fa858d54c5667936c7458f4a934917e84d0b92a88f997d41a87fcf6db
SHA1 hash: 4c57a505f8fde4d3a1ae447da330d8cc670ba204
MD5 hash: 7a77bf3cf682a68fbdbd07668fdc169a
humanhash: moon-maine-ceiling-mobile
File name:7a77bf3cf682a68fbdbd07668fdc169a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:295'936 bytes
First seen:2021-11-24 01:45:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2592ff0cb9d4716be385a37eb0faa8d (2 x RedLineStealer, 1 x Loki)
ssdeep 6144:DrDzpkavrad6Zs2Mo24RLvk+ezcznsNOeo1c4:DX1kaze6SFo24RLvk+dTYOc
Threatray 3'687 similar samples on MalwareBazaar
TLSH T1ED54F1213FB1BAB1D8E3D63124708B51DE3E7C666D7581472364263A2E752C08B7E36B
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7a77bf3cf682a68fbdbd07668fdc169a
Verdict:
Malicious activity
Analysis date:
2021-11-24 01:49:17 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/24d51c6a-4179-44de-8a95-5368ad94a853

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/619d996002c80febc2a7a855/reports/f2ea2fc8-ba4b-4463-b997-632b286ace5f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fd9577f-f3eb-4be0-9937-a8b4c910b904
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895125
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33b95d37a5798d22164b77968c99f8d0c1925aad08daa0f200a365f87353f160/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 01:46:11 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
36 of 45 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=go4v2n5fpggsefslo6lizgpy2dazewvnbdnkb4qauns7q42t6fqa._file
Verdict:
malicious
Similar samples:
1732eb210d5a39ffd2427bc67a22211bfe7dd8d230e557e24a8c889cd6ce233a
RedLineStealer
3ea19538971898322afce6110691bd03b0c18d97e044cc99264ebca714fc876e
RedLineStealer
a55d60e2368ff8831b9c2c5c3701b38b752cdce50ea2c498b0811e2a96cbba7d
RedLineStealer
bc01b38f7fc0e039d1d8fc56a4a9fd06c97543cb33542fac2e64057b3485437c
RedLineStealer
ec75d2e78898eef0f85ec90d16989cf9c1fb5f1e0f7b45cddad67192846aa8da
RedLineStealer
+ 3'677 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211124-b6z19abgdr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:26828
Unpacked files
SH256 hash:
b234454c51db11d58735da36cf638d075a9c9798776935418fc39e36849f8f14
MD5 hash:
31855c348a43090d89ff62fa19b1224d
SHA1 hash:
fc248f68da407a6be9719d7b8041e5c8029e160c
Link:
https://www.unpac.me/results/95a91444-3494-4caf-ae87-39e195f2e6bf/
SH256 hash:
f376dba3133daecb23b65247d748bdea6f5b0ad6eb64abaaf50d4f67be8b74c7
MD5 hash:
0c858c311ca6e8a905aa810b0032bc1e
SHA1 hash:
97a7d37cced11b841489e2fcb638224dbf51aa3a
Link:
https://www.unpac.me/results/95a91444-3494-4caf-ae87-39e195f2e6bf/
SH256 hash:
c319ae8878e4ec07e16607a2a74cada5ad8e38d8b39c7a9d8a94ced92a4e4068
MD5 hash:
008652ed815a4d28b38d2bbee5ab7faa
SHA1 hash:
757257cc54b39401e9d937181079a125a8051346
Link:
https://www.unpac.me/results/95a91444-3494-4caf-ae87-39e195f2e6bf/
SH256 hash:
33b95d37a5798d22164b77968c99f8d0c1925aad08daa0f200a365f87353f160
MD5 hash:
7a77bf3cf682a68fbdbd07668fdc169a
SHA1 hash:
4c57a505f8fde4d3a1ae447da330d8cc670ba204
Link:
https://www.unpac.me/results/95a91444-3494-4caf-ae87-39e195f2e6bf/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/33b95d37a579/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33b95d37a5798d22164b77968c99f8d0c1925aad08daa0f200a365f87353f160

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 33b95d37a5798d22164b77968c99f8d0c1925aad08daa0f200a365f87353f160

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1811085/
Cape
Cape
https://www.capesandbox.com/analysis/208855/

Comments


Avatar
zbet commented on 2021-11-24 01:45:40 UTC

url : hxxp://193.142.59.14/myblog/posts/sefile.exe