MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953
SHA3-384 hash:	ad8732ab7ab8cfa58efafce3d62d150bff4a2654108906cbecd6264f960ea3e66256c02a636050a9e65663422f93f691
SHA1 hash:	a019165898c668ec6e7348021f1a56a296e238ae
MD5 hash:	c84c94669ad2d825c7c94d973c2d9719
humanhash:	william-mountain-connecticut-oregon
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'166'848 bytes
First seen:	2023-10-24 10:02:25 UTC
Last seen:	2023-10-25 10:09:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2d0643e36831245775a52a67dd2bf66e (3 x RedLineStealer, 2 x LummaStealer, 1 x Backdoor.TeamViewer)
ssdeep	12288:5kyI1mKFzxq8F2dA844yYCJ4fA37mag88R82bfSNsYu83Cuki5GOW6R/LledCqn:8Me2dAb4yYCJ4A8H82GesppR/LUQq
Threatray	1'895 similar samples on MalwareBazaar
TLSH	T14F458D3174B08369EEA220BA0BEDF536867DE0B40F1412DF458F46EDDB50DC16A36A97
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc52355237_667343838?hash=zdFRocOdJtT0IyxFdnygjsrvYEitfza6BvyL25bGpZD&dl=sHDqrRzc8uNalY3nwHHztHxEdFCN6CpN55OVgGQqijL&api=1&no_preview=1#1

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/455939/

Detection(s):

Win.Packed.Pwsx-10012424-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Forced shutdown of a system process

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Gathering data

Verdict:

No Threat

Threat level:

2.5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/653796592b74b3f20dd97f10/reports/ec105e79-9083-481c-b4c4-082e46b0b7c0/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/443b1433-a3bc-43fe-b177-f4fc2407f2a4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1331178

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-10-24 10:03:07 UTC

File Type:

PE (Exe)

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gswyhfyczny4afovedodvlvmsaobnmdn4z4sutsmwt2ie3hp7fjq._file

Verdict:

malicious

RedLineStealer

305653109239144203fae4638c4f7eead4a84928ded603244b35ed1dc07b69d6

RedLineStealer

3861572608ff98d5b620849e73d67dcf776eaccecfe7f59e9c27871ea294fc31

RedLineStealer

46d36cf735f059102b5722d7aaa33c69dfa3f6d6a4f63a8d3528e56952f7a53c

RedLineStealer

6bb828d4ff1635fbb147f9a4accb3a083212ce9c730aec321a4038f0468d73ae

RedLineStealer

71c7c19982a6027ec52f68e4a800eaf31da738fead63e165dab1e39f0fa6196f

RedLineStealer

92ec90b07b5568d1f3effbb964848ee21f5257843ab5a7fb97135e6b476221b4

RedLineStealer

b5b47105645a8f5d02429e5d856f3b57411344272202a89c7d88a28fcc96a18b

RedLineStealer

ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5

RedLineStealer

d21d77361ba8b190552b4cc7014c8edc11c6599cb3be3948bfb69f7870fb76e3

RedLineStealer

+ 1'885 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer spyware

Link:

https://tria.ge/reports/231024-l3crnadh76/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

171.22.28.236:38306

Unpacked files

SH256 hash:

18771aab0d37ea21e0176445b17b75d145d9fc688a185e50293242c829566a73

MD5 hash:

ed7e9a6e6ce54ff2fc91b83cb84f422f

SHA1 hash:

5cbab5f2f27eea11b4efcd984547bb6389f23069

Detections:

redline

Link:

https://www.unpac.me/results/e25e27e1-bd79-476c-864e-198bc4a84927/

Parent samples :

af0e35ee6f95dcb0c2ff9656b4d82127a72711ffff0147caaef04687d9e41570
1b9988b9a11f14a6327034224cdc480e60a55af17342a833290cb58266d6b494
34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953
efd0fc618e4fc800de2058a13fcf94dfab2ce0f6f4e1504bc95a120e6edf20e1
f57d924e1c1b97aba0abe02943b16850bdd22d5eb6c5f9df5acfc420994402fe

SH256 hash:

34ad839702cb71c015d520dc3aaeac901c16b06de6792a4e4cb4f4826ceff953

MD5 hash:

c84c94669ad2d825c7c94d973c2d9719

SHA1 hash:

a019165898c668ec6e7348021f1a56a296e238ae

Link:

https://www.unpac.me/results/e25e27e1-bd79-476c-864e-198bc4a84927/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/34ad839702cb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/455939/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample