MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35914984b758d4dea8f6f8557f42b49a5ff64909a7a90fe3aea3f587ad8fd505. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	35914984b758d4dea8f6f8557f42b49a5ff64909a7a90fe3aea3f587ad8fd505
SHA3-384 hash:	6cb4b7521490568aa208c5cf81c53006c87f13c62e94cc93acfd39d94c894f9d21ec9ce4abbbc590e40d9e1b7af95661
SHA1 hash:	f17ea7aae8d1c6af4399f543df2d9d3d57e62748
MD5 hash:	e72291c3a221e8a195b6f445cb5b3367
humanhash:	mirror-timing-asparagus-mississippi
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'404'224 bytes
First seen:	2022-11-03 15:59:41 UTC
Last seen:	2022-11-04 07:03:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	52f574622596890eb65ea76d3cae743d (1 x RedLineStealer)
ssdeep	98304:wMfNsjsgnhRmdxJeoOXDxMhfgbjYUPCnjmRuF8bXR:PsAgnPKjyDx8f2YRlFm
Threatray	414 similar samples on MalwareBazaar
TLSH	T15416F25263CDC01FD0AC4534DC3699B013B27B4D99ADE0B67BBDBDCA26BB9839101792
TrID	46.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 19.7% (.SCR) Windows screen saver (13097/50/3) 9.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.7% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	cc8e2425a411e844 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc759438714_648876363?hash=BMu9xTrtQBruNPogBULXWz8QmBeV5jhOHbIHb999EDs&dl=G42TSNBTHA3TCNA:1667490984:LXGtng4Z2GfikSoT8gg9ZDLSUgUbZVu0ZFbyPXVjoT8&api=1&no_preview=1#privet3

Intelligence

File Origin

# of uploads :

358

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-03 16:03:01 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/2c2a4793-24d1-4564-90c4-4f1ad0d5b767

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/328048/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.14164.17937.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/48070/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed setupapi.dll

Link:

https://www.filescan.io/uploads/6363e59796e7fbdce590177f/reports/de468776-ebf8-4315-8103-857b222c4b34/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/63d58a46-5427-485f-9a37-8150c6d44ec3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1104587

Signature

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35914984b758d4dea8f6f8557f42b49a5ff64909a7a90fe3aea3f587ad8fd505/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-03 16:00:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gwiutbfxldkn5khw7bkx6qvutjp7msiju6uq7y5oup2yplmp2ucq._file

Verdict:

malicious

RedLineStealer

774fa8863d2cb1747c338ef9023103d535715b30b6d5450a9ee146663d77c89b

RedLineStealer

7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97

RedLineStealer

83ad440cf8c2cdd99ec8b184590fe0e9138cccd686b2136eaddc2cdfcf85aecc

RedLineStealer

aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48

RedLineStealer

c5b4ef6efd9f7da867cceb90761c47c62e882bce0cc20ca88f5f73fb7308c01c

RedLineStealer

c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32

RedLineStealer

d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c

RedLineStealer

ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

RedLineStealer

+ 404 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/221103-tfmx4scbd3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/49ae2834-5cad-4f8d-b600-9804b3b7fb70

Unpacked files

SH256 hash:

7bf27299bf01279bb3765598b3d8b4924f94c358fb718ad2edd17e28f47d5a27

MD5 hash:

cb66acca17ab5312e29a4f1d5b414cd2

SHA1 hash:

d60152489dbadf3f7dc54f22c4ccf28329608ef8

Link:

https://www.unpac.me/results/abe2e074-97a5-408e-a682-ffc19b027b5e/

SH256 hash:

67de805056a0aadb5c0e4e02b47e77eb1349808a88baf282dff6017644f7dd09

MD5 hash:

a6ab9015042da1398fd91e560a6ecc6a

SHA1 hash:

82458d10d554ff003acc07164caf8f3907ace553

Link:

https://www.unpac.me/results/abe2e074-97a5-408e-a682-ffc19b027b5e/

SH256 hash:

03209e503389396b0b0d4b9678057876abdf193ecec966205791eee099e74184

MD5 hash:

28f5f700238bedbe7047241cb7c46eae

SHA1 hash:

a75c40ffd06d7625ed3a32ff070a086aeb931542

Link:

https://www.unpac.me/results/abe2e074-97a5-408e-a682-ffc19b027b5e/

SH256 hash:

35914984b758d4dea8f6f8557f42b49a5ff64909a7a90fe3aea3f587ad8fd505

MD5 hash:

e72291c3a221e8a195b6f445cb5b3367

SHA1 hash:

f17ea7aae8d1c6af4399f543df2d9d3d57e62748

Link:

https://www.unpac.me/results/abe2e074-97a5-408e-a682-ffc19b027b5e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35914984b758d4dea8f6f8557f42b49a5ff64909a7a90fe3aea3f587ad8fd505

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/328048/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample