MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34e76d8a68c1eefd5681eb51a19019d189323f646c789cdec108c02dca04405c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	34e76d8a68c1eefd5681eb51a19019d189323f646c789cdec108c02dca04405c
SHA3-384 hash:	f1a9192d143f66ee69331b122bdb01660071efbfcd1397e1d1e44215e736eaf743c459924c44abc790180676237a2065
SHA1 hash:	ee4b1793e721d6b9cf6d8b941d678d08cbfea5fa
MD5 hash:	1ce030459c304451bd6416d7b1cbe83e
humanhash:	missouri-mountain-queen-winner
File name:	34e76d8a68c1eefd5681eb51a19019d189323f646c789.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	259'584 bytes
First seen:	2021-09-26 06:06:13 UTC
Last seen:	2021-09-26 07:08:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	062d438af0a5427d47d2119e831026d3 (27 x RedLineStealer, 8 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep	6144:FoV6of3Fsd3OmNispULImS21TxdcIWqHEad:+V3F2eml6LPS21TvcIDhd
Threatray	2'381 similar samples on MalwareBazaar
TLSH	T17B44D011B6F2C431D3A749355839C2A52ABABD326E73C10BF35D165E4EE23D08AE6317
File icon (PE):
dhash icon	fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
188.119.113.86:40729

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
188.119.113.86:40729	https://threatfox.abuse.ch/ioc/226594/

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

34e76d8a68c1eefd5681eb51a19019d189323f646c789.exe

Verdict:

Malicious activity

Analysis date:

2021-09-26 06:07:41 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/620803a1-dae9-4ef7-97d9-ebe98017b569

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191717/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.25639.25125.32377.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Launching a service

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d8943deb-ac6f-4997-90e0-9507a9f71fa2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/858338

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34e76d8a68c1eefd5681eb51a19019d189323f646c789cdec108c02dca04405c/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-09-25 14:01:03 UTC

AV detection:

18 of 45 (40.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gttw3ctiyhxp2vub5ni2deaz2getep3enr4jzxwbbdac3sqeiboa._file

Verdict:

malicious

RedLineStealer

3f325a237265eac17786e79dab8fd11688d7022755982385b8ee17de035570d5

RedLineStealer

6c55f1e4632628cd96e7f2eb86d52c158ff8f5e36a2220c18aacebee375a6354

RedLineStealer

6ed0e0fc4fc180454a9ebb07cf9cebecdc7595bde25f883f0360e1fc5cde77a3

RedLineStealer

72a81cf41c1864616767dd1f11e17d02f41b944502d6ce938ff463d592f2e97e

RedLineStealer

c2dd287121b9ecbd07a1f4ca65b433e2d56df56f360c7f2037d17845a9705f5e

RedLineStealer

+ 2'371 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:delim discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210926-gvb3yaeea7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

188.119.113.86:40729

Unpacked files

SH256 hash:

3d0518bebbf45e6459fcab5795d729b1a7c058df2f045f382114e7249add8cae

MD5 hash:

e7baddd4f017a5855783f61b49a9275a

SHA1 hash:

93f0b8ffe4f6a0c881e8cb754f885422de33b073

Link:

https://www.unpac.me/results/2d54035b-dbfc-4fec-a860-84cff729e382/

SH256 hash:

a623715f4301faec93367689178a0535b1232eb0d3141a21fe8d0f2070e35bfb

MD5 hash:

de0e4e185a290c31be6ba543c2904da3

SHA1 hash:

6671ed9f27472a546add434c190fd32f5440b8f8

Link:

https://www.unpac.me/results/2d54035b-dbfc-4fec-a860-84cff729e382/

SH256 hash:

a52a6daba15af55c647ffe34c6739e959e16eaade07bfff94b4e686a47297c7f

MD5 hash:

02f9dfbbc3867a773aa97b9c68ec1850

SHA1 hash:

26ce8b2d1497dc510256d69908f40f36a9ac9097

Link:

https://www.unpac.me/results/2d54035b-dbfc-4fec-a860-84cff729e382/

SH256 hash:

34e76d8a68c1eefd5681eb51a19019d189323f646c789cdec108c02dca04405c

MD5 hash:

1ce030459c304451bd6416d7b1cbe83e

SHA1 hash:

ee4b1793e721d6b9cf6d8b941d678d08cbfea5fa

Link:

https://www.unpac.me/results/2d54035b-dbfc-4fec-a860-84cff729e382/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/34e76d8a68c1eefd5681eb51a19019d189323f646c789cdec108c02dca04405c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191717/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample