MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c301ea2f7c6113f5a27f95f694e84c2506aa18ff533ce1583263abace106266. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	3c301ea2f7c6113f5a27f95f694e84c2506aa18ff533ce1583263abace106266
SHA3-384 hash:	cdc78f2ffcf64da981472cbf8638bf13c398b5c1773870c8256bc9aa51f7027048645275cfaacd77f781945d9f8ba0b7
SHA1 hash:	d74790b312152fbc6d74f004bef26227c2f1e6aa
MD5 hash:	bc9b1b368097805254280adc0ebab47e
humanhash:	pip-robert-arkansas-zulu
File name:	Fortnite CFFHOOK by Spyro.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'837'560 bytes
First seen:	2022-04-15 06:53:08 UTC
Last seen:	2022-04-20 10:24:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5a498eee87e4d89512a84502f500181f (138 x AveMariaRAT, 57 x RedLineStealer, 7 x CoinMiner)
ssdeep	24576:9dQLqN28WYExn5TJ0GCrIUcrzET0eX2k3cO9rBAlIiiGGhVsvjwXy77dkVzzZW2I:oLqN28WPUEdHyX2kkNJd52q18h3BFw
TLSH	T1F085CFE3C752010FF0A2A07E902EAD5DB572163147CFB87377895AE4974B2E0A91DB27
TrID	32.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.9% (.EXE) Win32 Executable (generic) (4505/5/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter	tech_skeech
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Fortnite CFFHOOK by Spyro.exe

Verdict:

No threats detected

Analysis date:

2022-04-15 06:58:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/99d72d7a-ada2-4fc3-9a62-02c4b19af58a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/263918/

Detection(s):

SecuriteInfo.com.Variant.Ulise.356012.7527.28927.UNOFFICIAL

Win.Packed.Generic-9944250-0

Result

Verdict:

Clean

Maliciousness:

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13940/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/62591704eab80a7a6c19e242/reports/1de677d3-9a7d-49bf-8d93-efd3feaa6117/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c434b287-7656-491d-9ac9-8cff04a19313

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/977334

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c301ea2f7c6113f5a27f95f694e84c2506aa18ff533ce1583263abace106266/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-04-14 19:26:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Result

Malware family:

redline

Score:

10/10

Tags:

family:metastealer family:redline botnet:crpt infostealer spyware stealer

Link:

https://tria.ge/reports/220415-hn73gaddf6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Meta Stealer Stealer

RedLine

RedLine Payload

Malware Config

C2 Extraction:

65.108.20.114:3074

Unpacked files

SH256 hash:

3c301ea2f7c6113f5a27f95f694e84c2506aa18ff533ce1583263abace106266

MD5 hash:

bc9b1b368097805254280adc0ebab47e

SHA1 hash:

d74790b312152fbc6d74f004bef26227c2f1e6aa

Link:

https://www.unpac.me/results/9f7a3495-02cf-4c01-bb54-9616339bd455/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/3c301ea2f7c6113f5a27f95f694e84c2506aa18ff533ce1583263abace106266

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	t0_1 Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 3c301ea2f7c6113f5a27f95f694e84c2506aa18ff533ce1583263abace106266

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/263918/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample