MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed
SHA3-384 hash: ea6a335a05ad8c5152362a54b42383da9d83c8d83c1d5bf76052c61deaa17d009972ae779746d40db11e04fbecb1c69f
SHA1 hash: a84c7e1a4f821cf27015137bd2c88f1f1b9d8751
MD5 hash: ff8e838b39548285a0f2e9d4777c9ec0
humanhash: angel-missouri-cold-mike
File name:39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:367'616 bytes
First seen:2023-04-06 11:38:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21829bcb83e2224c2104cf7cefe96c53 (8 x RedLineStealer, 2 x CoinMiner, 2 x Smoke Loader)
ssdeep 6144:/nI50iLIkzSCvb63HhnRtUzLaL9v34yaiRSN4Q6dSK:w50ikk7jOHhF543jOd
Threatray 472 similar samples on MalwareBazaar
TLSH T18F74D011B2D1C472DCA645349835D7B8A93FBC705B9986C77B80AB7A1E313D2DE3234A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8082a680c0e4f090 (1 x RedLineStealer)
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4252037a5918453642c6160143c906f7.exe
Verdict:
Malicious activity
Analysis date:
2023-03-27 07:53:20 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/48f4e964-8f80-4f00-bca2-5103c13792f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380631/
Detection(s):
Sanesecurity.Malware.29155.BadIN.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76810/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey glupteba greyware lockbit mokes packed redline ursnif yakes
Link:
https://www.filescan.io/uploads/642eaf572254dc8912046ef9/reports/9eff7001-e6d0-4f4a-b863-e4f212b476e3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71fda61d-67e8-4404-a802-424268c699d7
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1209630
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed/
Threat name:
Win32.Trojan.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 07:51:09 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhwacnlcxv3e2kh4hfdl5fqnadcnrhifsi7fuw5mwauqln7dapwq._file
Verdict:
malicious
Similar samples:
159ac8af8578d932513d407cfec08d07cc9ea3ff48797cfa96b7c9d45c530554
RedLineStealer
22f8e968a506352f6bd494eb2022633f7f5aa63c8fb3dee3a18b70be139822e3
RedLineStealer
34171e8efa5e3091775e8f47e35690a34be7da2905f6e9acc7d1672372c258a7
RedLineStealer
53ff660378078278aa3b128165e190dca83bfbb9e90d8328734184b8cf01272a
RedLineStealer
6c616ad906eaaf5380c6c3343e5b8f4b25291d2d8c101a4916e3eae1276ee927
RedLineStealer
8e6cf0c1722c8a8ed11e9f18d380cb4dd75e3c95935bfc42d6bc8af51e6831eb
RedLineStealer
b87577df851960649e52cebb4796bd489ab28293f708d1a404b0cc06f16aad39
RedLineStealer
e88df728437f4b3dfb47b686246fc520bb9bd03364b34590502403008e2b4faa
RedLineStealer
f639530345c52597fc8d4f6ccc98b71f03088a0c330a7df97cf4e3099da918b1
RedLineStealer
+ 462 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sony infostealer
Link:
https://tria.ge/reports/230406-nr99wsch36/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.33:4125
Unpacked files
SH256 hash:
121e86047a4c2a3a3510b693d5b58f236733799527537cb93185d58057a50ae1
MD5 hash:
0553c447c63f0bfa07ab82834f601004
SHA1 hash:
77bb489346633d1e48cdae4994cf9207e037e12f
Link:
https://www.unpac.me/results/61c39d70-d215-4b1a-ba1a-8f88bae12484/
SH256 hash:
fc149acae1d14442deae885355e11a59c04022c7be43939b354d175ed793defd
MD5 hash:
d6498df31de7da7a3a40f455dec3f750
SHA1 hash:
46124fc487cc340c30555af0418171ccb97b3e88
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/61c39d70-d215-4b1a-ba1a-8f88bae12484/
Parent samples :
13b5ef24472eb8dcdb12adb23ea8cbd08285ac279fd1246aceb4b8adfcaa30ac
315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec
b82fcf368bda3ca3dc3909a3962c32c9b778a507b814faa4c9a7e685ab51ca21
7d6e4a6d983bcdde36c4a000f4c5fdc5cc47302c732b865e6d75c4b5a7210c37
885cd71a5c8ff7e020f3fae0d6b09ae4e6738ef102df163105dbbba7cb0095ac
030bbce7d3b72a04844f1c73d756a2d5cfabde58c902214c36ccc1737b1759d3
d0bbc63fb5cbbfe796106e768883253d6839e20106e436368ea36dbd9488fd94
aa0d375e2bd7a3053398cdff8b475f63d09c9102190d964021c6b6384a4a69b8
d68d2c2c9fcac54a31eb59bad72fc8d7c48d5bcdb39b17cec886e018936165b7
6468b1cbd0c1de3f8dda0fdcca9c585ae8c33c6e60a1837e3435e7d364cf3708
64fd046a49f125efe3475274248f92e7c8165d46038509a97f53b8046e1cdc7c
634915b5a110d6feba5ce01b0c7f0053d5bb86e1644ddeafbed09bcf00f26754
6c616ad906eaaf5380c6c3343e5b8f4b25291d2d8c101a4916e3eae1276ee927
22f8e968a506352f6bd494eb2022633f7f5aa63c8fb3dee3a18b70be139822e3
fff6a6eb6660003361333231bbb001ce7c99396ae603f3d3568928b9df30cc10
b7c6c872fd2112e29b2bddd7cc95ebebbcf07805f718b0c4757bf1463ce397fc
6998af1d9f903ff953b4d0ad8ad7fbcc9a257f786d108a13a0a3b308a4e1c3b7
442383819053791fd1d20cfedff61e4ddd39257d4c7644f1ef5cdd9695a52a28
f5b3c296484c5e8aaf165b36f62f5bca75acd3c452603fb262ff334c8a65d390
a4ab0631a77553314cfe341ae9bb7ac3e2886750ff544673c238146d450b79e4
603a78148b4d2eb02e7667ad7c14f5c788f77792c7fefa4f2400d789785446c0
35984772051be6bcb95f93e5df8cbd243074e68d364db91440da706406dd6ee4
c8a83a59adf0cc70f7e283b74866cd00747030e34e18cf1367a9b3ed76e00efb
5d0c2c3b7c8aab7ad532b6c0b5ecd7b88f33106125d0fe5b5e4ea7136520e8cf
0bee8c6c071a4c7301b26123a1544fbedd43ea2f0fe169200f53ce67d9e0ea06
f75e5636c02279031def2844cc529c9e0aa8a2c82a81f18e36c1701317d9ab4e
858a5b8a86221a0f5ee7ef04e6837db21c5cec9f93037ad6009f1c52250ab40b
2e7d10e7f46b4e43878693428315971c874892129af53911f7ed52d4d4005c2d
2fea6af2b1d327967a46c3228132be457cfc6d670b7e2bbd50d546d844fc77c1
601207ff2909da97272ca4d22cd8ba62012fe4292e902df7b0c3af0b1940c46b
34c064d8fd5046e9b2949e7cedf75d5882581decb1915c902d43ad70e5cbac0f
39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed
30f1762d1da0024e19451c8dfd306ce81eff20dfc83122bf765fb9cd5895c4e1
e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529
SH256 hash:
b4ae8d22425a3887f58385cf9badb14020e00c0709e1e00a768f857b12cfbb01
MD5 hash:
423c9ebe6977b239063328896bb591e6
SHA1 hash:
08a43e54bb6ad89c7f7f47ca171322134787dd0c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/61c39d70-d215-4b1a-ba1a-8f88bae12484/
Parent samples :
cb2a011220c6050942b327244c7b3df1b0652c9cf1c18b64f71d2b08b654e6c8
315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec
cf031c6da544366c478a769a2a11743e07e6081891344ed83a3e0ab2a96f2343
6573162f612754c9eab66e38cf9887f9ea4e3ce678058a1c133644e41c192d99
89551bc135efb0262d763796add54f730378324d9acf145ff32ddfe18fac7001
7d6e4a6d983bcdde36c4a000f4c5fdc5cc47302c732b865e6d75c4b5a7210c37
885cd71a5c8ff7e020f3fae0d6b09ae4e6738ef102df163105dbbba7cb0095ac
2267b8157a975f8c3c687dce27c5212de7f0d1800c0baca7dd568d5644a12b89
ff556d834094729d1d1bb1ff1a2c9efa30d8da5cfb6d2745f82606dc908e4054
6b461f6d0e734652d07e41d896922672778eab5eabfd775b7bec54683116f67c
aa0d375e2bd7a3053398cdff8b475f63d09c9102190d964021c6b6384a4a69b8
d68d2c2c9fcac54a31eb59bad72fc8d7c48d5bcdb39b17cec886e018936165b7
c3e011a86632545295b8653faaa5186b8bf5899ffa07c9be4c1b809f043e07d3
64fd046a49f125efe3475274248f92e7c8165d46038509a97f53b8046e1cdc7c
e5695e72ba1c8e424955676b346a790e356ea647830df26be721ea039345b16b
34171e8efa5e3091775e8f47e35690a34be7da2905f6e9acc7d1672372c258a7
6c616ad906eaaf5380c6c3343e5b8f4b25291d2d8c101a4916e3eae1276ee927
22f8e968a506352f6bd494eb2022633f7f5aa63c8fb3dee3a18b70be139822e3
e88df728437f4b3dfb47b686246fc520bb9bd03364b34590502403008e2b4faa
fff6a6eb6660003361333231bbb001ce7c99396ae603f3d3568928b9df30cc10
b7c6c872fd2112e29b2bddd7cc95ebebbcf07805f718b0c4757bf1463ce397fc
6998af1d9f903ff953b4d0ad8ad7fbcc9a257f786d108a13a0a3b308a4e1c3b7
cd2975720f2128167c2550cdad7c52fce440c8fa4c2062c1bca275915b73ad93
603a78148b4d2eb02e7667ad7c14f5c788f77792c7fefa4f2400d789785446c0
c8a83a59adf0cc70f7e283b74866cd00747030e34e18cf1367a9b3ed76e00efb
5d0c2c3b7c8aab7ad532b6c0b5ecd7b88f33106125d0fe5b5e4ea7136520e8cf
0bee8c6c071a4c7301b26123a1544fbedd43ea2f0fe169200f53ce67d9e0ea06
f75e5636c02279031def2844cc529c9e0aa8a2c82a81f18e36c1701317d9ab4e
858a5b8a86221a0f5ee7ef04e6837db21c5cec9f93037ad6009f1c52250ab40b
2e7d10e7f46b4e43878693428315971c874892129af53911f7ed52d4d4005c2d
abb18917606c6031ab4139c3a5da92902af409ab055b48893924ed706b68cad0
601207ff2909da97272ca4d22cd8ba62012fe4292e902df7b0c3af0b1940c46b
cf88c19e1ed803ce213ffd1685f3cbdd787937c918a5dda0f0a2b33d62d18ee3
39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed
30f1762d1da0024e19451c8dfd306ce81eff20dfc83122bf765fb9cd5895c4e1
e29c418c30fc53f707ed4f76db5261b21458893d6bfda410265007c35933c529
SH256 hash:
39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed
MD5 hash:
ff8e838b39548285a0f2e9d4777c9ec0
SHA1 hash:
a84c7e1a4f821cf27015137bd2c88f1f1b9d8751
Link:
https://www.unpac.me/results/61c39d70-d215-4b1a-ba1a-8f88bae12484/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39ec013562bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39ec013562bd764d28fc3946be960d00c4d89d05923e5a5bacb02905b7e303ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380631/

Comments