MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
SHA3-384 hash: 5dadf9cf804dff3711b5b1b6e1196301a5c159f1ec62530b6957196d7e6d781cef80ca0f8e035fc0019c7895a16bd14c
SHA1 hash: e71ec4ae6e6b904a404dda2a693e30fb9a5031e9
MD5 hash: 90309a224a627e85b0adf140389ac3bd
humanhash: fanta-lion-oxygen-kitten
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'225'728 bytes
First seen:2023-10-14 05:51:27 UTC
Last seen:2023-10-14 13:43:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9b0aa150c770a62666d246af48611e04 (7 x RedLineStealer, 1 x LummaStealer, 1 x Amadey)
ssdeep 12288:O43UZkZFXpsxk7UOtPHQ2eH3HP0xfp5+Loc/YPcQiqut8lZBRe71KkKnKEcFMZ6j:Agpsxk7UOtPHd/xx5X0Wf9tTZ6tlW
Threatray 357 similar samples on MalwareBazaar
TLSH T1D6459D2279C541B5EDE750BA43ACB939851ED8A1131122CF0AFB17FFE714AC17A3648E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.232/autorun.exe

Intelligence

File Origin
# of uploads :
29
# of downloads :
324
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-14 05:53:51 UTC
Tags:
stealer redline sinkhole
Link:
https://app.any.run/tasks/81a7b68f-e40c-426e-afb7-37839d98accf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454275/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.34174.31390.11157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Forced shutdown of a system process
Sending a TCP request to an infection source
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/652a2c823b921285dcddaadd/reports/724a8e66-ba20-45bd-8610-027f5b21092f/overview
Verdict:
Malicious
Labled as:
TrojanSpy/Stealer.fk
Link:
https://www.hybrid-analysis.com/sample/399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f746b1b2-88bf-4c49-9ffb-abb7f4cacdb0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325605
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-14 05:52:05 UTC
File Type:
PE (Exe)
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgptyiq7teuvlpeclp6swqf3gihp452yag32y3ypznvcutoc5ojq._file
Verdict:
malicious
Similar samples:
0487efa62042b3f3e40cccf5855975137fdad8c3d553292487cee0b54ce18946
RedLineStealer
076b19a8a21cb87d90122c7b15bbb74eae94f34b3e3e28ffb4c850dee90ac15d
RedLineStealer
10cc64af60ef559a93afcb623145b218f0e840666c001d3b38b2ce9a9c09897d
RedLineStealer
1e6ea2a57fd8fd47468e17b92f74a6b593a043205fc8485bca5e5f29499adb11
RedLineStealer
86062cb035cf8fbeaf78c23e24af482c660927e637d1ad1a3c81e167eeee44e5
RedLineStealer
97a6ff69b40f3587e4a792235f4cddd5dbc76940ae8630e9e474c807ad1634e4
RedLineStealer
b3ef8346783b53a63fd52fa50cfba5f0322ee95dc1f723bee0405c4d5c44263b
RedLineStealer
c279bdf117c56f3ae2931ce5864df8d291f523c359342ef48ced08ed47b72127
RedLineStealer
eb37b948c22a10c325ee2b09a22ecaf10fe29a120eb0daff6db894a3b8ee2cc4
RedLineStealer
f522b9b627666889f35157af8e1edc9078fce8ea3690c941f8a80528babba534
RedLineStealer
+ 347 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:build285 infostealer spyware
Link:
https://tria.ge/reports/231014-gkqhksgd5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
194.169.175.232:45451
Unpacked files
SH256 hash:
4aa706981be061d9fc66f4ec0a581a418d18f976c5835b3c26beaf963b4b7e02
MD5 hash:
281cdc7e284b96011624acded1859799
SHA1 hash:
af8e34c4c7708547c8f2d35a13121c7a9d6fcd20
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/5b6e2851-cc71-48d2-91f6-b18f971b4008/
Parent samples :
399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
267bb2b7b50a45bb27533ca6f45b6d24e8b5a610aadf587326491ceaccdee1cb
5fe52859c007a52ec996e33b1910ccbc6f6bb498d6ca5747053d2174909cb38b
a13d980e94eb413013182bc3ae2adb5411f918db10c26b2e4bbf7ca3ba51616a
94620955d27d425a2584f6368ac6b5e8b7a3b5fc4fcb5080cce4e66e85a964cc
9dce80f85a97e75765dfac0a48e0c1cc59528ecb2bebb6e8a07e3e9e7bc5420f
9f5bccdc67b8653e13dee925d7c528b32f185a0f228be10abeeb5fc145d34675
9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
561ee68412e92b9d76e6798fac347f84d0a63b2781802838bb461dabedaeeb87
aa89427a86b36667ae39bcbd2ef5eb299769ce69057b889c06290e35d39a47a7
0862eca8195791d0880bb2c7b9089fb975fa30b9567c158f03a70fc86991f70d
SH256 hash:
399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93
MD5 hash:
90309a224a627e85b0adf140389ac3bd
SHA1 hash:
e71ec4ae6e6b904a404dda2a693e30fb9a5031e9
Link:
https://www.unpac.me/results/5b6e2851-cc71-48d2-91f6-b18f971b4008/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/399f3c221f99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/399f3c221f992955bc825bfd2b40bb320efe775801b7ac6f0fcb6a2a4dc2eb93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2706937/
Cape
Cape
https://www.capesandbox.com/analysis/454275/

Comments