MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c2f3ade8f0afd33c1607b95da3eb1de35863e65e1d4430048a79ec3530c862f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c2f3ade8f0afd33c1607b95da3eb1de35863e65e1d4430048a79ec3530c862f
SHA3-384 hash: b2818ac6ebca14770b4806f70db48edb75ff61661833ef7ddacdd004889e48ecc6f1f0190735a5744c95ff5daa0d0469
SHA1 hash: ca398f3b4bf80211c38adbdf12e5992a2038074d
MD5 hash: c8424f1891d93ad106b6ca3986dd2520
humanhash: romeo-shade-north-fillet
File name:3c2f3ade8f0afd33c1607b95da3eb1de35863e65e1d44.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:776'704 bytes
First seen:2023-03-08 15:55:42 UTC
Last seen:2023-03-08 17:30:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:YetpEuAYc6N3kQinYDnK3FQpP3mq/5Io3BxXcCE+tM5m:5pEbYc6ScK3S+q/5IWBmGP
Threatray 1'826 similar samples on MalwareBazaar
TLSH T1F9F4163CF8A49BD6E23AF7738557E210F3F550F3B311C8166EE2888502A5A71A2DE51D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
167.235.141.81:36255

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
3c2f3ade8f0afd33c1607b95da3eb1de35863e65e1d44.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 15:58:07 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/d85f7dc1-3e5d-47aa-83ae-d868e1f3aa45

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372642/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.53953.7878.7173.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
packed
Link:
https://www.filescan.io/uploads/6408b016f0b8f72099e8624a/reports/40ea1c13-8b4c-4db6-bb8b-e02d2d5cbf2c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3c2f3ade8f0afd33c1607b95da3eb1de35863e65e1d4430048a79ec3530c862f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1a6f694-753e-40d7-b43c-29b6b35dc48b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189607
Signature
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c2f3ade8f0afd33c1607b95da3eb1de35863e65e1d4430048a79ec3530c862f/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 16:08:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqxtvxupbl6thqlapok5upvr3y2ymptf4hkegaciu6pmguymqyxq._file
Verdict:
malicious
Similar samples:
3a86f6f2018119707b616977342cbab7e40ba5771ebc853301abe2b28c613e1a
RedLineStealer
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038
RedLineStealer
a7630f89bd924769fcbe10d8ed6569b7a05f47ed70f56a90c7c1f1e4cc45d190
RedLineStealer
e8ee3634afde1b13836ca2183216b38956942300ce6f73ac218152cc7baa47f7
RedLineStealer
f85eee48a83f5476bcd38bcddab53fbfc818d591c07e1c01fd73934a21f9ca7a
RedLineStealer
f90e958c973fcc357ea65be93434edbb959327ac3dc399e12de0ccd9cc636349
RedLineStealer
ff3fd54207331c2b74e6368890552b62c0db63518aeff43d24906fa343eb6ab8
RedLineStealer
+ 1'816 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:5555 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230308-tdcdlaef6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
167.235.141.81:36255
Unpacked files
SH256 hash:
c11830ab9e72e607375fd405c8c8ea4768819115097ac2775fee74a47e1c1162
MD5 hash:
fcb89773c510975830a41c3a466b9fc5
SHA1 hash:
e0003eec9fe93789106550c902dfdc330deda28a
Link:
https://www.unpac.me/results/ea728b78-f84b-4f40-baa2-010c7095b19a/
SH256 hash:
663866740811ad99b5a34d8c0a31bc6e49b662d7476e46fbe6001a83c464d622
MD5 hash:
7382598795e61668556c9ba865acf062
SHA1 hash:
99c60e85e0df408bf4e97f0d144b9f6b1d890a1b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ea728b78-f84b-4f40-baa2-010c7095b19a/
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/ea728b78-f84b-4f40-baa2-010c7095b19a/
SH256 hash:
3c2f3ade8f0afd33c1607b95da3eb1de35863e65e1d4430048a79ec3530c862f
MD5 hash:
c8424f1891d93ad106b6ca3986dd2520
SHA1 hash:
ca398f3b4bf80211c38adbdf12e5992a2038074d
Link:
https://www.unpac.me/results/ea728b78-f84b-4f40-baa2-010c7095b19a/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c2f3ade8f0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/3c2f3ade8f0afd33c1607b95da3eb1de35863e65e1d4430048a79ec3530c862f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372642/

Comments