MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a35b0e74809462ef39e914ed306f3c017067423f002a4d4575ee9211136533c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a35b0e74809462ef39e914ed306f3c017067423f002a4d4575ee9211136533c
SHA3-384 hash: aa5f329cd39792a746e8a7f237170d0833bbfbc2af2e43b767ff7499ecc4411d94df0c44115f77ffb2a8e5b81f2c2ee5
SHA1 hash: 14b94fdae794fc6d65412234f32fa10ec0e918f4
MD5 hash: c2cb87736af41e688ce5bd9ab6842cc3
humanhash: kilo-glucose-shade-michigan
File name:Terror Mod Menu.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:239'616 bytes
First seen:2022-12-31 06:18:30 UTC
Last seen:2022-12-31 07:28:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f8e2739a4474ba6db89c37c03f78ddb (4 x RedLineStealer)
ssdeep 3072:rBwMB0szX5yQvvT8uo3JUdy9d7TN6tLAcaGaKkQp5XP6AaoVkB:9wMB0sz3zFYMy9hISj9Qp5XP9amk
Threatray 1'956 similar samples on MalwareBazaar
TLSH T1E734B51764D70C6ACEE4A6744C3B7E41EC1EE6F6A47B202E7EA24EC84C2C375C1B55A1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter atomiczsec
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Terror Mod Menu.exe
Verdict:
Malicious activity
Analysis date:
2022-12-31 06:21:37 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a37ee847-eb53-4f26-ac9d-089827b07b2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Ser.Babar.2005.27225.11025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/63afd45d40e878e304217bc2/reports/73a3a806-711e-4b6a-ba59-6167e83301a5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fadee502-01a7-4667-963d-148c3607bc88
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143446
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a35b0e74809462ef39e914ed306f3c017067423f002a4d4575ee9211136533c/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-31 06:19:10 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hi23bz2ibfdc5446sfhngbxtyalqm5bd6abkjvcxl3uscejwkm6a._file
Verdict:
malicious
Similar samples:
07d19c5f5bb0d92ae0117043d900737079e01a554164fcbcabb5c6f73e90bb6b
RedLineStealer
186bbf590210d8fd02e981a002c05ab018aaec5ecd9b6ba4a37b16ba2f47b61e
RedLineStealer
32551f9124a359edf3435979372676a4c5bbaeb0423cc3ec53d382abb39d850f
RedLineStealer
465fba168502ed66e373db521f1c0dd93ce30e69d271528051390817977b4818
RedLineStealer
7d8c8ecc7573c478e5a78a7dad1e3b2812f5c53ab1c8e014b640753838ea8764
RedLineStealer
9b9f5db0898f6e2481402322ccfd48bead757e3c93aaccb744ab21e2af54dab9
RedLineStealer
d78f10d9f1fc9f184a8fb7ab10d1683a9857be12a81e504f2389edde9203ab5c
RedLineStealer
de58c36e0d6373fdba1d14fe4085968e4753ed8d490699b36c7f065a4d9a6ea8
RedLineStealer
ecf0c11ebf5e4d33208470fa906bd052aed3bbb5389b6b5a382b33b8a92cf70c
RedLineStealer
ee1613bb37062a8e65092ec3aad9efc1c21f65732745d5557d255c13d6b28d3f
RedLineStealer
+ 1'946 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/221231-g27heshc66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
45.15.157.131:36457
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/79d31e44-db2b-489b-be55-15b783a7efc3
Unpacked files
SH256 hash:
00808978585165f8b932f2f0b96aeb809ebe581f3f5fcbf19fe6f99579bc82f4
MD5 hash:
f04413de046715b06980da408fe0516c
SHA1 hash:
90a470d4c6fd08ff2fdd84c67c73e6b5f4c9a1a8
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/542240e5-635d-4307-9811-1dff86611fe9/
SH256 hash:
3a35b0e74809462ef39e914ed306f3c017067423f002a4d4575ee9211136533c
MD5 hash:
c2cb87736af41e688ce5bd9ab6842cc3
SHA1 hash:
14b94fdae794fc6d65412234f32fa10ec0e918f4
Link:
https://www.unpac.me/results/542240e5-635d-4307-9811-1dff86611fe9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a35b0e74809/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a35b0e74809462ef39e914ed306f3c017067423f002a4d4575ee9211136533c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments