MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bdc01ad4470ffaed08134d58f6d4fde3df7d92cd4699a813922b1fcdffe96d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments 1

SHA256 hash:	3bdc01ad4470ffaed08134d58f6d4fde3df7d92cd4699a813922b1fcdffe96d7
SHA3-384 hash:	0db2cfc8e1975f739f7d2ac3cbf628ddcae210bc92b67fbac82d96d659bd9d26bca411de6c4d650e17eeec5f65eb6833
SHA1 hash:	a53c472d0d2f978e53aca6d0328f69a64e4cf223
MD5 hash:	e7966d0eb0c610e87f967a1d8481e066
humanhash:	cup-seventeen-network-early
File name:	e7966d0eb0c610e87f967a1d8481e066
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	393'728 bytes
First seen:	2022-12-02 00:08:33 UTC
Last seen:	2022-12-02 01:28:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0393613f68e843e3b1810bf6293f4d14 (1 x Amadey, 1 x RedLineStealer)
ssdeep	6144:sLb3NGBMxhq8Vf1mKA30tPNXLTWIClG4NuthF8335lohvVZVFvg4/FQF:6DNj68+BEvXL6X4R8H5lohvPDgSm
Threatray	13'248 similar samples on MalwareBazaar
TLSH	T1EF84F181B400F0B2C5660D3D84E9DBA06D78BC26C274EA4337B4666E6E712B1877F35B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9ee56565e5a5a584 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

e7966d0eb0c610e87f967a1d8481e066

Verdict:

Malicious activity

Analysis date:

2022-12-02 00:11:52 UTC

Tags:

redline

Link:

https://app.any.run/tasks/1656499f-fe86-4450-93f0-c86789a2ac42

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/341658/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.35058.7556.23675.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63894220579915b6b303ef2e/reports/0e2ee205-65fc-45ca-b638-b74c26438578/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e9642d5f-140d-4880-903d-bc05b477d419

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1126134

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3bdc01ad4470ffaed08134d58f6d4fde3df7d92cd4699a813922b1fcdffe96d7/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-29 02:23:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hpoadlkeod725uebgtky63kp3y67pwjm2ruzvajzeky7zx76s3lq._file

Verdict:

malicious

RedLineStealer

36c07f85265c76770103c0742059226287a05bee2a2909788f98eec6e8f96ba3

RedLineStealer

c3bccd847bcf72d889d41ef370d6f511873a217d650d264b0241de6029211962

RedLineStealer

cd3ec3921f09dbc5391d423dcb50e4cb4669bb1eb9741167626243d630c4c7ff

RedLineStealer

d6975d134cc13b002f41d1637336ae8e793da8f5024456f71b01123dc5d5c132

RedLineStealer

e58955b8f25bd1f1fdbb0b3113b38cc23cf8faf3e33a47cd9b4bab0ab21957d6

RedLineStealer

+ 13'238 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/221202-afhhvahe5z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

.NET Reactor proctector

RedLine

RedLine payload

Malware Config

C2 Extraction:

77.73.133.85:9862

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/58abf721-175e-4b1c-9c25-45e99fb8f6d3

Unpacked files

SH256 hash:

8536c86dc58e3570f8414d374fcdff879f2419c0a1a1666ab10afc56f49c2d33

MD5 hash:

6be10376bbb08a8e1b38675992d02485

SHA1 hash:

f2fca1b848b35e8edf95fc2b3e9138c5112ff781

Link:

https://www.unpac.me/results/e97e82d8-6d43-4f17-9056-29722e9c0ed2/

SH256 hash:

e3ac0c6784447fdfe6ac3a5d760ec6967f529fc350541a2fafb363fad4a805cd

MD5 hash:

48ac222f8620bf8af855671c6f9d0e78

SHA1 hash:

b93f87c958fea0e5112cbb54efe231df93f5aa12

Detections:

redline

Link:

https://www.unpac.me/results/e97e82d8-6d43-4f17-9056-29722e9c0ed2/

SH256 hash:

dc81d1b645c82c3dc8635d344971bb627c563855a4cec4ca76c2ce61f0eecf43

MD5 hash:

5a9f8a7c0477428dc5caa41fda048476

SHA1 hash:

979b799d638778ed968cf1983d1957c09492ff33

Detections:

redline

Link:

https://www.unpac.me/results/e97e82d8-6d43-4f17-9056-29722e9c0ed2/

SH256 hash:

3bdc01ad4470ffaed08134d58f6d4fde3df7d92cd4699a813922b1fcdffe96d7

MD5 hash:

e7966d0eb0c610e87f967a1d8481e066

SHA1 hash:

a53c472d0d2f978e53aca6d0328f69a64e4cf223

Link:

https://www.unpac.me/results/e97e82d8-6d43-4f17-9056-29722e9c0ed2/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3bdc01ad4470/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3bdc01ad4470ffaed08134d58f6d4fde3df7d92cd4699a813922b1fcdffe96d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 3bdc01ad4470ffaed08134d58f6d4fde3df7d92cd4699a813922b1fcdffe96d7

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2441257/

Cape

https://www.capesandbox.com/analysis/341658/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-12-02 00:08:37 UTC

url : hxxp://77.73.133.113/lego/PeakedTangleweed.exe