MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c820da115d083116a24d73cc715283f26b5f4cae406e79e8faf088c682a172e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	3c820da115d083116a24d73cc715283f26b5f4cae406e79e8faf088c682a172e
SHA3-384 hash:	003ad8a1e0d36039f8057844044928f6f1ed2fee7062064f3d39759032cae54419303b452713619e00d70ce446a7ae90
SHA1 hash:	92d6b531fe53ade80117c64f8ee00b5af7f6fccc
MD5 hash:	9316a1a1708a94afb38126b5e24b3c1a
humanhash:	finch-hydrogen-early-three
File name:	3c820da115d083116a24d73cc715283f26b5f4cae406e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'314'648 bytes
First seen:	2021-12-14 14:47:44 UTC
Last seen:	2021-12-14 17:05:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep	24576:ocQinxhCG8x9UDwfihVzQQQE215wrTc/5UeWWhDKvAAUkEaHNYK379vHF:Yin38x9UDwfwQ15wrARUedAvAAUNarvF
TLSH	T18A5533EBE318B19EF240277C5680D676C1BAD371AC8EB7C83A6AED84404437DE61E15D
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.206.213.148:43383

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.206.213.148:43383	https://threatfox.abuse.ch/ioc/275640/

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3c820da115d083116a24d73cc715283f26b5f4cae406e.exe

Verdict:

Malicious activity

Analysis date:

2021-12-14 14:51:52 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/54f07167-f498-482a-a038-4e81687a6d84

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/213961/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Searching for the window

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

0/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/1957/overview

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61b8aea8db84542d41be9d32/reports/cb6f2ead-2b4b-4413-a7fe-9be9c6303510/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f263377b-21c6-4e63-864b-7ce3cb76fab1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/907121

Signature

Allocates memory in foreign processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c820da115d083116a24d73cc715283f26b5f4cae406e79e8faf088c682a172e/

Threat name:

Win32.Trojan.Reline

Status:

Malicious

First seen:

2021-12-14 14:48:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hsba3iiv2cbrc2re246mofjih4tll5gk4qdophupv4eiy2bkc4xa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline evasion infostealer spyware trojan

Link:

https://tria.ge/reports/211214-r6fklsghcj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

185.206.213.148:43383

Unpacked files

SH256 hash:

ed9ec15a7d0de786f7734bd7b7c65fd93b4a843710c561efe055f5093129f55f

MD5 hash:

c0bf2c0bc815fc2e9f7b07635dec0cb3

SHA1 hash:

491a939f13f52713a79babee5d7efbda952600d8

Link:

https://www.unpac.me/results/c6df284a-bb3c-415a-8e8e-4d6542bb57a4/

SH256 hash:

3c820da115d083116a24d73cc715283f26b5f4cae406e79e8faf088c682a172e

MD5 hash:

9316a1a1708a94afb38126b5e24b3c1a

SHA1 hash:

92d6b531fe53ade80117c64f8ee00b5af7f6fccc

Link:

https://www.unpac.me/results/c6df284a-bb3c-415a-8e8e-4d6542bb57a4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3c820da115d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3c820da115d083116a24d73cc715283f26b5f4cae406e79e8faf088c682a172e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/213961/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample