MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34827a66a28b9fad1b1f0daeb1f4d15185942df647207305d94f00e6be2a689e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34827a66a28b9fad1b1f0daeb1f4d15185942df647207305d94f00e6be2a689e
SHA3-384 hash: f534bf31a4d3fd25bdba3934fe80e78fb3ff30ecf373dd0798c51c2f7c37f3fc0b2c48a3468cff71fa38c57190ae9f83
SHA1 hash: 4b3fa5b34b1b20578f4e4175c5beb59485456b70
MD5 hash: 462cbce168a80b91b2c14f5ea975fd85
humanhash: pluto-illinois-tennessee-batman
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:468'424 bytes
First seen:2023-10-07 09:21:18 UTC
Last seen:2023-10-07 14:59:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 06ede52fcc31e4900f4f1a7060fce645 (10 x RedLineStealer, 6 x Stealc, 5 x Amadey)
ssdeep 6144:99oToLkbRalPXkmJavrR25LAOB3cC5d2U+mSQvmu54G5QB0MKa8osbktmIX0p:99o+kNalvBnfZwQvMG5QiL3gtsp
Threatray 247 similar samples on MalwareBazaar
TLSH T168A44A00BDD2C07BF9A3597225888F752A29BE65C3E9C5DB875CFEBDCB9058207E1142
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin
# of uploads :
13
# of downloads :
293
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://jatoo-ci.com/wp-download/zip.7z
Verdict:
Malicious activity
Analysis date:
2023-10-07 10:55:32 UTC
Tags:
privateloader evasion opendir loader risepro stealer stealc redline tofsee botnet ransomware stop miner vidar trojan arkei hijackloader raccoon recordbreaker amadey raccoonclipper
Link:
https://app.any.run/tasks/93c6acfe-dc4a-4a7a-91b1-928d27c7218b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61922.9812.22054.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Modifying a system executable file
Delayed writing of the file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Infecting executable files
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/6521233b1e07d7e1e9b6afec/reports/f4add139-7c12-41e4-9d37-e2edc652364a/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/34827a66a28b9fad1b1f0daeb1f4d15185942df647207305d94f00e6be2a689e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2081794b-7a08-470e-b9a2-779b1155827d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321421
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34827a66a28b9fad1b1f0daeb1f4d15185942df647207305d94f00e6be2a689e/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-07 09:22:07 UTC
File Type:
PE (Exe)
AV detection:
18 of 22 (81.82%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsbhuzvcrop22gy7bwxld5grkgczilpwi4qhgbozj4aonprkncpa._file
Verdict:
malicious
Similar samples:
25e8ba86547bd5f21aabf72674ec48c2d4da7eb8845070d31d6af9831ab5e9ad
RedLineStealer
269b887be354364129afc07fafc0c1bef045ea8b1a50183ea7177a542b708d6b
RedLineStealer
4465e8c20f4e65e979521f058a3dfbeaa1e7d886589ff031957153c0a57a4860
RedLineStealer
545dfa973a3c7308627b21d1c230d58323bf08fdf8e0a31fdf4efaefd5f2fa12
RedLineStealer
6357feae9f58a47c17425768a928d81778934c86aa86eba0d57a75ffec4854f3
RedLineStealer
ae2f8d58e78cfe8df09b337a75f79795aab3f565776be32e35cc8ee2d747599f
RedLineStealer
c13ef6f741861e02f505fcd7dd8e5f770c5e0b70167e65c6fa14b59067a3e2cb
RedLineStealer
c423824a09513d5ba538095fcf0b8c6dffa339ec2522616d49be5c0a12c4c27b
RedLineStealer
ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3
RedLineStealer
ff606d2b2815f58f2b5aea9653995de2ce548b8227ed9d0d9d7f2ed51a510a99
RedLineStealer
+ 237 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:smokiez285 infostealer spyware
Link:
https://tria.ge/reports/231007-lbw18aac9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.169.175.232:45451
Unpacked files
SH256 hash:
2badafa867fda2f72ddb7a8491dc64f8a0757ff07d4f512edda5900d3be74d65
MD5 hash:
6583555afa403cca26d68c3a9386fd68
SHA1 hash:
c071a264674ccc87fd4b865e9164f6b0eac62d9a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/1ebe3996-5c13-463e-9343-aa70307d967e/
Parent samples :
be8ec715501cffc350a70f6152f1244907091af202e574b38c4b8e9077e2d7e8
ea12961ab4496771ad1f6056a294a335d60661a725e98f7a443cc45e4826860c
63a2e4ff605edbe78b72027f63b1ee37f76dd48c1a216e4f42a819cab7b57179
40a90e628cc075526434cf155a464239f8f6a6dc9157788dee5b5209943ab67f
9cc458ba7d97a5db07e7a42561b0d55e4adfce7e41a4a477b06e3b0fd5e871bf
d78ba749c5162b591ec8b2e8e70fc758bd545f86c05b05c47d4d0388833bd498
c13ef6f741861e02f505fcd7dd8e5f770c5e0b70167e65c6fa14b59067a3e2cb
d3595d8ed1b9f2ec77f0c654fe92e8397ffbd9cae6615f87f68fd0442d6229cc
34827a66a28b9fad1b1f0daeb1f4d15185942df647207305d94f00e6be2a689e
4f90d97f3ef33851bba630cb781820f861144c97b7b962363ba18ee9bd72a7c2
53a93577991f5ff457ce602fbdb133754cdbb3b3d73300aeacb5640819a1920b
71580dae1707ba6cf9590f966cb9f3af646f413c2f418de864da8f2148b76b25
7facbc0f3f99b780c838a040234fc2e1315bd3d3acadc0ee0226eb890e891605
10816d319e9567cf374028eb1e510a5459eaf757d92358c2c11f36bc23186d21
97d9696f980554aa1ac89abae70e947e83875a399f346026722e01c3bfc685e6
ffbd6ffb75e77b342f3caa7729254ef5dc198c783a78310d74923fd86ce4614e
SH256 hash:
34827a66a28b9fad1b1f0daeb1f4d15185942df647207305d94f00e6be2a689e
MD5 hash:
462cbce168a80b91b2c14f5ea975fd85
SHA1 hash:
4b3fa5b34b1b20578f4e4175c5beb59485456b70
Link:
https://www.unpac.me/results/1ebe3996-5c13-463e-9343-aa70307d967e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34827a66a28b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34827a66a28b9fad1b1f0daeb1f4d15185942df647207305d94f00e6be2a689e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2706937/

Comments