MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a154a7f877e73662a37e7558cd8c29a129ebfb45821402743e04758e112a6b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a154a7f877e73662a37e7558cd8c29a129ebfb45821402743e04758e112a6b6
SHA3-384 hash: 79fedcd2fa88766fcd6379e3106c7ba6429f99afb83f43e77b9f24b646e41bc03f313ba59ab607f9ee7f61f80b1c6382
SHA1 hash: 9e609cf03b7fe3d640ab960908f7ac5194edbfbc
MD5 hash: 8eb19c6c02f9c2e5ffd5f20bf1859dca
humanhash: winner-oklahoma-network-hotel
File name:8eb19c6c02f9c2e5ffd5f20bf1859dca
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'898'672 bytes
First seen:2022-02-20 07:30:37 UTC
Last seen:2022-03-22 05:14:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fddc083fa31a17c938d0a17ec7cd3025 (141 x RedLineStealer, 4 x RaccoonStealer, 1 x Formbook)
ssdeep 98304:OEno7g4f1b7rKGyJ0mEaS2pEy0mtQ6NSxUjkentUPtWruVMqOnr:Zn6pNqGyJPR9v0o0mb8MLn
Threatray 1'358 similar samples on MalwareBazaar
TLSH T16836336D110C2C0AC2A91779738F59CA067CD64F66C61A3F710ACA6A0177797F21CBAE
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242750/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9908842-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6211ee3c875593a3ccf22c6b/reports/db18c196-14ee-418d-a195-b75db1d54286/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1a2d018-7108-4431-b6db-ebb9c559600a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942765
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a154a7f877e73662a37e7558cd8c29a129ebfb45821402743e04758e112a6b6/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-02-19 01:34:32 UTC
File Type:
PE (Exe)
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hikuu74hpzzwmkrx45kyzwgctijj5p5ulaquaj2d4bdvryisu23a._file
Verdict:
malicious
Similar samples:
03d7bb6de28f63752921367619ad44ca420c80352e96e8aeda734c28ca63557f
RedLineStealer
2c7e8a9b546f7c133469fabcfc200e5ab79da84ffa180fda9e088bc5476af860
RedLineStealer
5d99125b0d97ba0abfcf9916c1a05081c1cc117eb2afaaab39a6f95a60e42ab3
RedLineStealer
6e60006ac8af12483aee2b0f6bcf0a963a0423b494b55f56ad51bfc9b3a3bd71
RedLineStealer
9bd02c78d6dc379e0906312cbf3feee3df113f1837cd41d4e13b0d07e96c5233
RedLineStealer
c57ec94c7fed128887694b07d817af02c2d19aac98d8d1fbd4004a8accee4ee5
RedLineStealer
d2d63e8749f44493b88d1c4de830a37adfcdbbc0e7249a799679020310c6a48a
RedLineStealer
d37f2546cea1ed8a8f85d1f6274f7a59869ded7f56ecc6af9c123dd76fd10d70
RedLineStealer
f4036a8affaa6f227d3fce3a98b5b9bb752cd434f04587ea4105c58fc96404e2
RedLineStealer
+ 1'348 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220220-jcdvxsbbdl/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
837058adf4e1ab526bd5ea5b7d38c105ebc6f30effe83dff543e9c3f0adc5d73
MD5 hash:
53d18b453306ba5b6c7ba9a3094efeb6
SHA1 hash:
174005738bd7f2d9cd427173ed441f2753d5344b
Link:
https://www.unpac.me/results/c4eb6829-8c55-40c3-9d71-f6f1f6e06eab/
SH256 hash:
3610ae2e9336e999d0a087c7b23f1db555ede555e1d040ca03139ef777540c31
MD5 hash:
4dbb3daa5b5a42766fd1d26a54e15fc6
SHA1 hash:
d034051fa915e82e649e130a9919e90b17ee8852
Link:
https://www.unpac.me/results/c4eb6829-8c55-40c3-9d71-f6f1f6e06eab/
SH256 hash:
3a154a7f877e73662a37e7558cd8c29a129ebfb45821402743e04758e112a6b6
MD5 hash:
8eb19c6c02f9c2e5ffd5f20bf1859dca
SHA1 hash:
9e609cf03b7fe3d640ab960908f7ac5194edbfbc
Link:
https://www.unpac.me/results/c4eb6829-8c55-40c3-9d71-f6f1f6e06eab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3a154a7f877e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a154a7f877e73662a37e7558cd8c29a129ebfb45821402743e04758e112a6b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3a154a7f877e73662a37e7558cd8c29a129ebfb45821402743e04758e112a6b6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2049559/
Cape
Cape
https://www.capesandbox.com/analysis/242750/

Comments


Avatar
zbet commented on 2022-02-20 07:30:38 UTC

url : hxxp://185.112.83.96:20001/bot/cache/47059797.exe