MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017
SHA3-384 hash: 43f62680e7821b6651c3de49c16de62301414f98e8768858a0d5f7d08db2b5cce8243ae1732812e10db318568492cf76
SHA1 hash: b8c1d3171e82de04821ff213bd298c368c4c0b0f
MD5 hash: 7d2177241b4fa57a9e3e6de208875025
humanhash: october-rugby-arkansas-bulldog
File name:7d2177241b4fa57a9e3e6de208875025.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'830'400 bytes
First seen:2022-10-06 09:31:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c642c0b422c0291be517cbe7f80512c6 (4 x RedLineStealer)
ssdeep 49152:Vz/r2pelcD7gxpL4zMdZYkuFUFeDsHpWkIxXBR0:Vz/r2olcWL4zcD4TR
Threatray 5'650 similar samples on MalwareBazaar
TLSH T1DC855C78FB4750F1EA2392B1814FEB7F87247A158421EEBBFF4ACA05F4335122919256
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/317210/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.119485.703.4736.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41499/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware
Link:
https://www.filescan.io/uploads/633ea0978700c347f8f865ac/reports/257bbcc1-b87a-4166-bcc5-251c960e937f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/480c12db-ab8d-47e8-b754-2ac015c53e05
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1085247
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-01 16:38:34 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=heoy3n26p73gqs4lqg6pz43cfwbswdxxvifstua7rkcplseaualq._file
Verdict:
malicious
Similar samples:
15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a
RedLineStealer
20fcde2fa4a9678b5dd349981be15f762f979daf33b6ab60c005f4f4af66d693
RedLineStealer
3b088dbdfd0f215862a3a2d5f3095e781b7a31b74deb25e2226c5e467766f32c
RedLineStealer
3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
RedLineStealer
8785300bc02bbf034417c477db91c121123b31b1eaf24fc0f74ee11e11ec058c
RedLineStealer
adf21d39c8e8e0b6e733faecf2ac396725724af70be5fe6d2da5442741ad6a25
RedLineStealer
c31f0cfe9be1561ee878cc22c6af53a5cabeaaa5ef9868f13c2be72f638b5457
RedLineStealer
ded87d5d072fec89996dc307c5d8561ec2e86874db3f8edd49c13c84bc74decc
RedLineStealer
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
RedLineStealer
+ 5'640 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@moriwws botnet:h infostealer persistence spyware
Link:
https://tria.ge/reports/221006-lhl5lagha9/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
litrazalilibe.xyz:81
185.186.142.127:17355
185.106.92.139:16578
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/15cf62cd-130c-4b93-bd09-7ab2d4ea5c4d
Unpacked files
SH256 hash:
391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017
MD5 hash:
7d2177241b4fa57a9e3e6de208875025
SHA1 hash:
b8c1d3171e82de04821ff213bd298c368c4c0b0f
Link:
https://www.unpac.me/results/5ed661f4-fb9e-45b4-97bd-eab306e7acb5/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/391d8db75e7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/317210/
  
URLhaus
https://urlhaus.abuse.ch/url/2353271/
  
Delivery method
Distributed via web download

Comments