MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043
SHA3-384 hash: 50acc2352744ede5729b0832c0ef31e8c24e8b1c5b9f85b6374375ece403e363529b7d96ba6388b4253c6f90b9b62d86
SHA1 hash: 7591bf99153d7926f819d8fa16d71888010f1a7e
MD5 hash: 1e1e6071fa1ba1bb9df60ca094640e57
humanhash: florida-connecticut-kitten-hawaii
File name:1E1E6071FA1BA1BB9DF60CA094640E57.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:704'351 bytes
First seen:2021-07-12 12:25:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (865 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:8zxzTDWikLSb4NS7ET+tG1Xku/MES2ezmpcbk9ivHxjG2pjUYB3nv:6DWHSb4NhK9oezIcQ92vTdv
Threatray 605 similar samples on MalwareBazaar
TLSH T104E40102FD8195B2D5210C355928AB61293D7D201F25CEEBE3D86E5EEA350D0BB34BB7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
137.74.76.180:52028

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
137.74.76.180:52028 https://threatfox.abuse.ch/ioc/159770/

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1E1E6071FA1BA1BB9DF60CA094640E57.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 12:29:25 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/1ff28bfb-512d-41d2-8c45-3926be0d5453

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171077/
Detection(s):
Win.Malware.Generic-9872030-0
Create hunting rule

Win.Malware.Generic-9874383-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58fee9dd-fb25-4dca-83ca-c455bfc4c79c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814831
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 12:26:08 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmum54737tb2atwgaeinyv5xrfbfus5lnn56k7raw655bb4d4bbq._file
Verdict:
malicious
Similar samples:
1d64d3eb1c28bda9e53ed296e9a84092b655deb5fb27aac6ee6d99c65ee6f118
RedLineStealer
6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c
RedLineStealer
6d0083394a549c135820010343353dcfa2929aeaa83f72a50ec60a7263f4ec90
RedLineStealer
79e0a26bc2c9c902744c618ad7af045e5b1ced50f98ca066a33df44218f84702
RedLineStealer
9371abbf0b553023b6ddd05e91a3acaf95f4b5a1a38db5bf8634c1aca7e18d34
RedLineStealer
a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e
RedLineStealer
b75c96558da89e3f3935a90cfd0494db199fce26cbd387985f5d16b3bebe857b
RedLineStealer
e7cc1a50c3ab054c7c102301d32b802813f0651154f585ac315d0778a81501c8
RedLineStealer
e94c70d3dc3ab2496465e73bffc7c5f1bc3963f3ae309a88d5e16d5e54a540ce
RedLineStealer
f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d
RedLineStealer
+ 595 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210712-xlrb11cdt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
499682bb002458d994e1e8b88909a3c26832bfa2e633432f4769a983ceace93e
MD5 hash:
3e113f4b918c9a4205d6232ead4f18a5
SHA1 hash:
6f6ce13f8383681bc77b0dcb18f6a5c98e934452
Link:
https://www.unpac.me/results/9fb63395-571c-4360-95d2-28776f5d728d/
SH256 hash:
3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043
MD5 hash:
1e1e6071fa1ba1bb9df60ca094640e57
SHA1 hash:
7591bf99153d7926f819d8fa16d71888010f1a7e
Link:
https://www.unpac.me/results/9fb63395-571c-4360-95d2-28776f5d728d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171077/

Comments