MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3504e4a5a07c38293a2dacb167180c4e54663692a3dd6cc95b94d828daaffbab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3504e4a5a07c38293a2dacb167180c4e54663692a3dd6cc95b94d828daaffbab
SHA3-384 hash: 2ed1b0f82342eba225553940e424eafb8de48d10ed5e70a921bc26f1fca3294e73ffc72057b513c953d0e2644f59a88c
SHA1 hash: dfc8a5c8d1d16eea1cde22e13f805b1a15912554
MD5 hash: 61348a2f94311f49a86d53f96ade0ad7
humanhash: rugby-earth-fourteen-bravo
File name:61348a2f94311f49a86d53f96ade0ad7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'444'864 bytes
First seen:2023-10-30 18:25:43 UTC
Last seen:2023-10-30 19:45:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 85eaf26c78904a7e3734d1f5fb1f519e (1 x RedLineStealer)
ssdeep 24576:NNpbYeb7vdHa0RgsBoxJhPeAoMOXxtH53zzihIlmpEalp:NNdN72hPeAbOB5UWlmpE0
Threatray 649 similar samples on MalwareBazaar
TLSH T13565F121FB904537D57316389C0B5768ED39BE113A38A88E7BE41D4C2F7A7C23929297
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13097/50/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 1c54a4c8f4c0d8e8 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
149.100.158.96:80

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://gorichemarketing.com/download/setup.rar
Verdict:
Malicious activity
Analysis date:
2023-10-30 14:39:11 UTC
Tags:
sinkhole privateloader evasion opendir loader risepro stealer stealc redline amadey botnet trojan ransomware stop smoke miner rat backdoor dcrat remote arkei vidar autoit teamspy g0njxa
Link:
https://app.any.run/tasks/83891562-ffca-4443-9a0c-8f79d813a521

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457158/
Detection(s):
SecuriteInfo.com.FileRepMalware.11669.1159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process from a recently created file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin
Link:
https://www.filescan.io/uploads/653ff53a0ca0b0185171727f/reports/a332683b-a861-42da-9b06-65dc55039ee9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/3504e4a5a07c38293a2dacb167180c4e54663692a3dd6cc95b94d828daaffbab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a9a970f4-4cd5-474f-ade2-34346f35696f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334444
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334444 Sample: J2eaJ13d27.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 41 tWDrCQSstZmeDUPtfxLxCakucb.tWDrCQSstZmeDUPtfxLxCakucb 2->41 43 api.ip.sb 2->43 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 Yara detected RedLine Stealer 2->61 63 2 other signatures 2->63 10 J2eaJ13d27.exe 10 2->10         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\Temp\...\Aircraft, PE32 10->39 dropped 13 cmd.exe 1 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 73 Uses ping.exe to sleep 13->73 75 Drops PE files with a suspicious file extension 13->75 77 Uses ping.exe to check the status of other devices and networks 13->77 18 cmd.exe 1 13->18         started        process8 signatures9 55 Uses ping.exe to sleep 18->55 21 Ordering.pif 1 18->21         started        25 cmd.exe 2 18->25         started        27 cmd.exe 2 18->27         started        29 6 other processes 18->29 process10 file11 35 C:\Users\user\AppData\Local\Temp\...\jsc.exe, PE32 21->35 dropped 65 Found API chain indicative of debugger detection 21->65 67 Found API chain indicative of sandbox detection 21->67 69 Writes to foreign memory regions 21->69 71 2 other signatures 21->71 31 jsc.exe 15 4 21->31         started        37 C:\Users\user\AppData\Local\...\Ordering.pif, PE32 25->37 dropped signatures12 process13 dnsIp14 45 149.100.158.96, 49717, 80 COGENT-174US United States 31->45 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->49 51 Tries to harvest and steal browser information (history, passwords, etc) 31->51 53 Tries to steal Crypto Currency Wallets 31->53 signatures15
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3504e4a5a07c38293a2dacb167180c4e54663692a3dd6cc95b94d828daaffbab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3504e4a5a07c38293a2dacb167180c4e54663692a3dd6cc95b94d828daaffbab/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gucojjnapq4csornvsywogamjzkgmnusupowzsk3stmcrwvp7ovq._file
Verdict:
malicious
Similar samples:
140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b
RedLineStealer
58d47e392f91578d5820d3625103ffd9461e66d7328a7016d0a69a39bc04f3af
RedLineStealer
9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483
RedLineStealer
a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
RedLineStealer
b4a130338bd6099c1ca3c0e0866127db0b5df6ac51e74347654b5b6d2ee0de96
RedLineStealer
c9ff159b826661ea2361ee7a5ddb7fe27c036e9906f93cc302e4ed8851f4fffa
RedLineStealer
+ 639 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:installs3000_20231030 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/231030-w26nfsee4x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
149.100.158.96:80
Unpacked files
SH256 hash:
f604fe1321884993a32371f70053c1ee63891724586776fb76bdb31c92bca872
MD5 hash:
a8c2ecc34365c2f830181b23dee89092
SHA1 hash:
2bc83b5316b54c0e536e440a2599ebbdbab71b81
Link:
https://www.unpac.me/results/56b8ad2f-6f82-496d-a0d9-5f5f03dbc6b2/
SH256 hash:
3504e4a5a07c38293a2dacb167180c4e54663692a3dd6cc95b94d828daaffbab
MD5 hash:
61348a2f94311f49a86d53f96ade0ad7
SHA1 hash:
dfc8a5c8d1d16eea1cde22e13f805b1a15912554
Link:
https://www.unpac.me/results/56b8ad2f-6f82-496d-a0d9-5f5f03dbc6b2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3504e4a5a07c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3504e4a5a07c38293a2dacb167180c4e54663692a3dd6cc95b94d828daaffbab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3504e4a5a07c38293a2dacb167180c4e54663692a3dd6cc95b94d828daaffbab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2719048/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/457158/

Comments