MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3849624cfb61f179a0346afd310c8703901cfd66fe29be6fa568c8283468eabb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3849624cfb61f179a0346afd310c8703901cfd66fe29be6fa568c8283468eabb
SHA3-384 hash: 0111a4f20b8ae6efabc9c2c465ce858cc16738b22645ac103f1bb1601db5e0cb5e34c14e890528467352d16f262d1142
SHA1 hash: 3b6be4fa3a90010fcef63dc07eb016333423b906
MD5 hash: c601d5838e8b275118ec654a09c0ffc5
humanhash: fourteen-robert-bakerloo-cardinal
File name:c601d5838e8b275118ec654a09c0ffc5
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'252'823 bytes
First seen:2022-02-09 08:27:22 UTC
Last seen:2022-02-09 10:47:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1f273e55d954a3cd6ab7388915a0485 (3 x Neurevt, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 49152:czOJB5ZJBK7/stk6SY6stAHzUfj7a3MTP4FUQD69tlLhMRtasce97Vz3rc7L8:cKBtKzatHa43Qe97FutasZLh
Threatray 780 similar samples on MalwareBazaar
TLSH T158369F23B389613EC46B1976853BD6689C3F7F627912CC4B7BF4694C8F351406A3A60B
File icon (PE):PE icon
dhash icon f8f89c969392ece4 (3 x RedLineStealer, 2 x Formbook, 1 x FickerStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://94.103.91.118/MSIservice.exe
Verdict:
Malicious activity
Analysis date:
2022-02-08 01:29:48 UTC
Tags:
installer trojan rat redline
Link:
https://app.any.run/tasks/0ea56b11-b0ed-4072-b21b-1bb47ca30162

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239305/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38929748.21058.9684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Delayed reading of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe control.exe dotnet.exe expand.exe explorer.exe fingerprint greyware keylogger overlay regasm.exe replace.exe rundll32.exe
Link:
https://www.filescan.io/uploads/62037b1fc79b424d720a479f/reports/8d618cf8-53c4-46b6-9763-5d3ea7793850/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zeppelin Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bee94c7a-e9d1-4180-bf02-79c631383ba8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936629
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3849624cfb61f179a0346afd310c8703901cfd66fe29be6fa568c8283468eabb/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 13:46:06 UTC
File Type:
PE (Exe)
Extracted files:
81
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbeweth3mhyxtibunl6tcdehaoibz7lg7yu3435fndecqndi5k5q._file
Verdict:
malicious
Similar samples:
0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686
RedLineStealer
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
RedLineStealer
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
RedLineStealer
6122924f2393d69b3d9c563736b33ca5182023d9d26c17edd34926ce1f844d7b
RedLineStealer
7c42542ebefa3aa55190c1a099b75215cded42548a2f11cccf435e9a75179cd1
RedLineStealer
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
RedLineStealer
a0ac775ecbfa0ab3218e32b09a0d4fdcd82e7ceaa31241dc106c4fc77e9b5ddb
RedLineStealer
bd8d1264a88d5cdd701a4ee909b70beaec39d216c988b33bfb30f25aee3540ee
RedLineStealer
bf72cee251615ca0af6b861fd4abf781b007249d3b0bc8612bcb37bac0d427f5
RedLineStealer
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
RedLineStealer
+ 770 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:gizmo discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220209-kc1kcshhcn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.107:1433
Unpacked files
SH256 hash:
88254d96e2b107a95392e615b735aafbd5e317372c8ad5e47221b11a3fcc6934
MD5 hash:
e32f4316a00790781e84741981741626
SHA1 hash:
ae9aeafa9db51e7bbf5789c7e547fed8af40b6fe
Link:
https://www.unpac.me/results/76074d21-fef3-4936-9863-6f651ed3d0a8/
SH256 hash:
80c4d0a9d4f4191da44050fdeee6afb571d4942f510db1b77fd8df9a230a32b0
MD5 hash:
20dd899b1d979b872f2170b3db336970
SHA1 hash:
2fec91f16fa6e69da743154f6bf084476519d577
Link:
https://www.unpac.me/results/76074d21-fef3-4936-9863-6f651ed3d0a8/
SH256 hash:
feb41c3ec761c7566fec80f67ffb1c15c35d9c513eb5b483275e98396d4f7cc0
MD5 hash:
390e469d2d1ed380d075c92015982ced
SHA1 hash:
7ffa97f122f271d1b1d0b5b9bf8ffb4e171816e6
Link:
https://www.unpac.me/results/76074d21-fef3-4936-9863-6f651ed3d0a8/
SH256 hash:
3849624cfb61f179a0346afd310c8703901cfd66fe29be6fa568c8283468eabb
MD5 hash:
c601d5838e8b275118ec654a09c0ffc5
SHA1 hash:
3b6be4fa3a90010fcef63dc07eb016333423b906
Link:
https://www.unpac.me/results/76074d21-fef3-4936-9863-6f651ed3d0a8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3849624cfb61f179a0346afd310c8703901cfd66fe29be6fa568c8283468eabb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2038472/
Cape
Cape
https://www.capesandbox.com/analysis/239305/

Comments


Avatar
zbet commented on 2022-02-09 08:27:23 UTC

url : hxxp://185.251.88.210/MSIservice.exe