MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c
SHA3-384 hash: a8e7b455bb0009affa85bb7262b5ba929291a266c665d3b6c1c2cc2b4f6f61857d2e172163a9348de4930ca21a0bcd49
SHA1 hash: 3b42121ffa43d4d7cb8e47657e9cacaae640bab1
MD5 hash: 7c1ede3dd17e1e51e2f13379adc30be2
humanhash: colorado-georgia-spring-illinois
File name:7c1ede3dd17e1e51e2f13379adc30be2
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'248'048 bytes
First seen:2023-03-08 12:34:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 36 x Vidar)
ssdeep 98304:p8i2Pa0qJP46XsU5SpMH08JHLoEZ3Hu9qsQyB4MBNXc7MJoemvkxbYbAjJ8:uirZ4izqGLLZXyqhyB4MB6NemXIm
Threatray 1'193 similar samples on MalwareBazaar
TLSH T130561241FCD790B1E502157209A7D3EF3B35B8091F329AC3DA14BB6AAC776E11D32266
gimphash ae521a3d2c0808c9c8a5681080ad689d8cd039dfe23faa0bd8dac8782889f0db
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:Hangil IT Co., Ltd
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-11-10T00:00:00Z
Valid to:2024-11-09T23:59:59Z
Serial number: 0139dde119bb320dfb9f5defe3f71245
Intelligence: 17 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 23d13a8e48a6eff191a5d6a0635b99467c2e7242ae520479cae130fbd41cc645
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
7c1ede3dd17e1e51e2f13379adc30be2
Verdict:
Malicious activity
Analysis date:
2023-03-08 12:40:53 UTC
Tags:
redline
Link:
https://app.any.run/tasks/b3529d2c-d20a-467d-8b55-59f82331baec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372565/
Detection(s):
Win.Malware.Wingo-9956993-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a window
Сreating synchronization primitives
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipper golang overlay packed
Link:
https://www.filescan.io/uploads/640880f98b48bcea611f115b/reports/0d4d53c1-5bb5-4cf1-a365-b4f3342a8c80/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/364ca2d6-452a-4b66-8296-38f93a37abff
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189414
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 822290 Sample: Md3KVxWVD3.exe Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 5 other signatures 2->37 7 Md3KVxWVD3.exe 2->7         started        process3 dnsIp4 21 iplogger.com 148.251.234.93, 443, 49704 HETZNER-ASDE Germany 7->21 39 May check the online IP address of the machine 7->39 41 Writes to foreign memory regions 7->41 43 Allocates memory in foreign processes 7->43 45 Injects a PE file into a foreign processes 7->45 11 MSBuild.exe 15 5 7->11         started        15 MSBuild.exe 18 7->15         started        17 MSBuild.exe 2 7->17         started        signatures5 process6 dnsIp7 23 176.113.115.220, 49705, 80 SELECTELRU Russian Federation 11->23 25 api.ip.sb 11->25 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Contains functionality to compare user and computer (likely to detect sandboxes) 11->53 27 t.me 149.154.167.99, 443, 49706 TELEGRAMRU United Kingdom 15->27 29 95.216.179.190, 49707, 80 HETZNER-ASDE Germany 15->29 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->55 57 Tries to steal Mail credentials (via file / registry access) 15->57 59 Tries to steal Crypto Currency Wallets 15->59 19 WerFault.exe 15->19         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c/
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 20:22:30 UTC
File Type:
PE (Exe)
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwritx72iicvnufocborhmjy7ltsa7poqcexd7xzh5sckvvrnzwa._file
Verdict:
malicious
Similar samples:
36b03249d7ae407da7b955d538e660eae8d3562a091393bb81c5b457ebfe83ae
RedLineStealer
3df572ecd8ad88b1b744adc3323998b64d8303ef1a19eba3d7fd6e76aeb67532
RedLineStealer
48aa1381548b2590a3ae1d740852fdefdf51c46666ee2d86e50aeae66afbda60
RedLineStealer
4e8575081ab4e714f413c5cbe83141127d397da4df656fe28f2a1c42356dbb65
RedLineStealer
62fb38640d60c70e8701cc74ebdfc7bf75b4e0274f0daa778ddef889abd3050e
RedLineStealer
7e349767b32221f32490d0c7270670a35d9c316936fb45bb9a5c900dba521cda
RedLineStealer
7e44724101abeaace0c8ab6e16471862f8fed840e9f70cfb62d56bddd39bdbbc
RedLineStealer
8b08628b3b7ad95bef5be23120ed741dcfca5d30f0d2dfdf83166b94c56f15d1
RedLineStealer
bf566a0e924a5567391242c61c0070a09ee3bca04a02e4f0170040b90e5b73e5
RedLineStealer
daeb55142c78a55a7f9b43b839d3d0708c8f0739fe260366070330876e72a340
RedLineStealer
+ 1'183 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar infostealer stealer
Link:
https://tria.ge/reports/230308-psby6afg6w/
Behaviour
RedLine
Vidar
Unpacked files
SH256 hash:
6a324f8b809cba90a6830f7ee00038c9ac7b2d6d7c471adccb92a66cb12a42f4
MD5 hash:
bd26604ca6a13ba3c13c69dad8f23c5e
SHA1 hash:
ec96c41b832c6b9a7bee5f620a82a19d138d64bf
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3db18095-a102-4a8a-94cb-f13c0f8379e8/
Parent samples :
35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c
b43b91f6495c2d4c9c48f707f17cf7d09e3dc46b9ca0759372945bd40d77a6b7
5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0
SH256 hash:
17c6303e2bb6e28075abe4e69bbd0286d9dad636e2649007a92fd08a9d40c720
MD5 hash:
86a511cb3f8688d71fe61fcf2cb0f208
SHA1 hash:
8cd58c749aef06a3420b1c887e5b428f8c430f66
Link:
https://www.unpac.me/results/3db18095-a102-4a8a-94cb-f13c0f8379e8/
SH256 hash:
aaa7692e4c2bb0cd819f730b111f02d8138e363ab60309cc5edb1ac63035e8aa
MD5 hash:
06b196587722b319f6f3d5706b9c2bee
SHA1 hash:
33d326d7ebaa1e012a2a7eab397cb2d5777d0560
Link:
https://www.unpac.me/results/3db18095-a102-4a8a-94cb-f13c0f8379e8/
SH256 hash:
35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c
MD5 hash:
7c1ede3dd17e1e51e2f13379adc30be2
SHA1 hash:
3b42121ffa43d4d7cb8e47657e9cacaae640bab1
Link:
https://www.unpac.me/results/3db18095-a102-4a8a-94cb-f13c0f8379e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/372565/
  
URLhaus
https://urlhaus.abuse.ch/url/2562963/

Comments


Avatar
zbet commented on 2023-03-08 12:34:57 UTC

url : hxxps://tornomoita.com/RoMunITrLKUraN4728294.exe