MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3507442790a6d27bf658e39d8be816c615bafdb98bcf623a2a4a36440a29cc57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	3507442790a6d27bf658e39d8be816c615bafdb98bcf623a2a4a36440a29cc57
SHA3-384 hash:	3a16812aea6c8ae141da87cc87ae90de57cfb38ee8a2354151362a1fb97ac2bc57544b14f09d0adcc6e5c9e5ea1e3c09
SHA1 hash:	0fd500ef50134f89b769c994d4423e60bea35f77
MD5 hash:	3812657e272bc8ee912f5e917e4ba26e
humanhash:	solar-india-winter-oxygen
File name:	3507442790a6d27bf658e39d8be816c615bafdb98bcf6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'476'096 bytes
First seen:	2022-03-15 12:01:55 UTC
Last seen:	2022-04-20 10:21:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9841b26ace9b2500e342c1cd0b9e4fe9 (1 x RedLineStealer)
ssdeep	24576:WicgjyebUCs5mjAyhUZn+n2hNSfDYrODi7tvgfkRtT5NSQvsHXEWh6/h1vmm:n1mC7Ays+2MDAP7t2kDT5NhaXEq6T3
TLSH	T1F16533BA6A7E66D1C5CF2CF3263AC7B6F824FED8E3405485611C683AC6EA1C74354970
File icon (PE):
dhash icon	c4b2ccdcd4ccb6c8 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Woodstock EU
Issuer:	Woodstock EU
Algorithm:	sha1WithRSAEncryption
Valid from:	2020-10-01T10:00:03Z
Valid to:	2030-10-02T10:00:03Z
Serial number:	16c4e9c5ee6979904435620f03665403
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	8a92d71ac7c65e4a3b8e7235646bf4a4c06780971ed1a60c756c91a04bcb4405
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RedLineStealer C2:
185.215.113.20:21921

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.20:21921	https://threatfox.abuse.ch/ioc/395380/

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

i864x__setup__622fe52f6b183.exe

Verdict:

Malicious activity

Analysis date:

2022-03-15 02:03:38 UTC

Tags:

trojan phishing loader evasion opendir stealer

Link:

https://app.any.run/tasks/22611fa0-44bc-46a6-81f1-b526315b5d48

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/250741/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.26930.6093.15168.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

exploit greyware overlay packed pandora shell32.dll

Link:

https://www.filescan.io/uploads/62308045dfdfa8501ca3a865/reports/72070628-2f11-4c02-8801-ef813685f9e6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/655486a6-974f-441a-b0f0-ca6f7622f0f8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/956958

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3507442790a6d27bf658e39d8be816c615bafdb98bcf623a2a4a36440a29cc57/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2022-03-14 23:25:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=guduij4qu3jhx5sy4ooyx2awyyk3v7nzrphweorkji3eicrjzrlq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220315-n7gmhscgfq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

b4d881528fc6949c8d4b50941ccb04cf8d7af3cc73f1a9b3294f381fcdbe7dde

MD5 hash:

13fecc834557920fea3867acb6af5a79

SHA1 hash:

e3f79ecfb8dbd72681b3c084bd397924e0b4dd05

Link:

https://www.unpac.me/results/971265b1-bf5d-4671-8f54-127c350aff55/

SH256 hash:

3507442790a6d27bf658e39d8be816c615bafdb98bcf623a2a4a36440a29cc57

MD5 hash:

3812657e272bc8ee912f5e917e4ba26e

SHA1 hash:

0fd500ef50134f89b769c994d4423e60bea35f77

Link:

https://www.unpac.me/results/971265b1-bf5d-4671-8f54-127c350aff55/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3507442790a6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3507442790a6d27bf658e39d8be816c615bafdb98bcf623a2a4a36440a29cc57

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/250741/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample