MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3612149bd6ec449427d2aea29be28c3b93d7e58407fe865db4ac938b2747c2f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3612149bd6ec449427d2aea29be28c3b93d7e58407fe865db4ac938b2747c2f4
SHA3-384 hash: 53665dafdb9f145932da2e5d4017e5c071d91331f20daf935ae3484742dd171d3feae5b421bdc3627bfa87338adccfda
SHA1 hash: 4ff3a9401dbd1c24bd5179d7c74a471240b42f0b
MD5 hash: db309a281f2133bfe5cf1c74ee47c275
humanhash: failed-earth-april-green
File name:MicrosoftRuntimeComponentsX86.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'150'336 bytes
First seen:2023-01-19 19:20:21 UTC
Last seen:2023-01-19 20:30:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c9db43565b9885ccbe9a55b104076495 (1 x RedLineStealer)
ssdeep 49152:g3NFUGRYvbiKX6OB5BZvbsD4H7VUPwZD1R1tXEJ+GRgD6Vk3EWo:CNFTRabN5BtbW4bVUiU
TLSH T11CE57D80FDDB44F2FA0355700897A7AF2730A5069735CADBD6546EAAFC237D20937229
gimphash a5cfbcf4a2bfe0ae26456eb355de5f9414dde60ed53bcd08cb71d4c94cc4fd9b
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 38f1c8c8d8d4d8d0 (6 x RedLineStealer, 1 x RaccoonStealer, 1 x PandaStealer)
Reporter iamdeadlyz
Tags:95-217-102-105 exe FakeCeladonGame RedLineStealer


Avatar
Iamdeadlyz
From celadon.game (impersonation of the Celadon game by Karpopper - store.steampowered.com/app/2093680/Celadon)
De-pump of 8eaf2e351a8c4e020fe7bc9b967ad4e5d33dd5def7105cb8f254922506935fe4
RedLineStealer C&C: 95.217.102.105:1695

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MicrosoftRuntimeComponentsX86.exe
Verdict:
No threats detected
Analysis date:
2023-01-19 19:22:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4860f40-b86c-44cc-81d8-56835326f3bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/354736/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.20912.28016.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61600/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
anti-debug golang greyware
Link:
https://www.filescan.io/uploads/63c9981e696b2d972573cacc/reports/768a4a4c-6d99-49de-92d5-4bc0873da8f7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HackBrowserData
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1684d1b-3608-4857-a32b-1ab5fee64d6c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1155061
Signature
Found potential dummy code loops (likely to delay analysis)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3612149bd6ec449427d2aea29be28c3b93d7e58407fe865db4ac938b2747c2f4/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2023-01-19 19:21:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
11 of 26 (42.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gyjbjg6w5rcjij6sv2rjxyumhoj5pzmea77imxnuvsjywj2hyl2a._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:123 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230119-x2m2saha79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
95.217.102.105:1695
Unpacked files
SH256 hash:
19da02d6e7ef9721f6a6e4a4dc2ab8d456f0d1b6ee75f98ca5d95822d250ddfd
MD5 hash:
746e58c5867665ce0530be880143b4da
SHA1 hash:
2fa2d5fc481f366c14affa39c4570cd29cf575e4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ee939da0-f1d0-46e9-99ec-bc8adea5a852/
SH256 hash:
3612149bd6ec449427d2aea29be28c3b93d7e58407fe865db4ac938b2747c2f4
MD5 hash:
db309a281f2133bfe5cf1c74ee47c275
SHA1 hash:
4ff3a9401dbd1c24bd5179d7c74a471240b42f0b
Link:
https://www.unpac.me/results/ee939da0-f1d0-46e9-99ec-bc8adea5a852/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3612149bd6ec449427d2aea29be28c3b93d7e58407fe865db4ac938b2747c2f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

27943821044a84f7b3c65fc3004d6f12b3790f545f99bbc57db0e567b750e795

RedLineStealer

Executable exe 3612149bd6ec449427d2aea29be28c3b93d7e58407fe865db4ac938b2747c2f4

(this sample)

  
Dropped by
SHA256 27943821044a84f7b3c65fc3004d6f12b3790f545f99bbc57db0e567b750e795
  
Dropped by
SHA256 8b978c678da7d399668880b33e4541494bb4cb301e73903d1f5af3a800a8c36c
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2512727/
  
URLhaus
https://urlhaus.abuse.ch/url/2510063/
  
URLhaus
https://urlhaus.abuse.ch/url/2512725/
Cape
Cape
https://www.capesandbox.com/analysis/354736/
  
Dropped by
MD5 5c4e0de7c76302e12a2dec6de731fe04

Comments