MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca8b997fbacea025d3790095e72529710db3493ec8bc66de19ff5c5469f0cca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	3ca8b997fbacea025d3790095e72529710db3493ec8bc66de19ff5c5469f0cca
SHA3-384 hash:	3b916d10fcb18fa455cff4ebd599b47ffcf7c97efc06273959db7dc365a143b3087dc42bf738be021a6a34d9a789fcf4
SHA1 hash:	00c77cb6c07db1aee664f2232f76fd1e54a94c76
MD5 hash:	cb11142f93f8395c3f1b534a483b4dd6
humanhash:	angel-bravo-nuts-fruit
File name:	s83297517.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	404'480 bytes
First seen:	2023-05-13 22:56:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8e1291b1baddb8fcca0899ad3cc587e8 (4 x Vidar, 4 x RedLineStealer, 2 x Stop)
ssdeep	3072:+qzpJDoNNml840wdcWz1/NSnwNGY2u+46kF0+Mc7u910CwEBhd+B9PfUD5/myu:dzL28xdckCAGYVd7uX0a9Sfq
Threatray	24 similar samples on MalwareBazaar
TLSH	T13A849D1362F17875E63247328E6E86F8665EF9624F22BBDB2354D62F09B11F2C132741
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	01686e6a6a6a6a48 (2 x RedLineStealer)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

s83297517.exe

Verdict:

No threats detected

Analysis date:

2023-05-13 23:34:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d10dfba8-1cb5-490f-ba77-0ef18744321f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/389223/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.99199.869.16305.UNOFFICIAL

SecuriteInfo.com.Trojan.GenericKDZ.99199.25979.18418.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Sending a custom TCP request

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Blocking the Windows Defender launch

Disabling the operating system update service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

glupteba greyware lockbit packed

Link:

https://www.filescan.io/uploads/646015d7fe2f8f2723bae307/reports/d99a588b-066c-455b-abb3-bc2eece3ed1c/overview

Verdict:

Malicious

Labled as:

Trojan.Zenpak

Link:

https://www.hybrid-analysis.com/sample/3ca8b997fbacea025d3790095e72529710db3493ec8bc66de19ff5c5469f0cca

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1674cd4e-959c-41ec-a58b-dbcfb3be0672

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1232352

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ca8b997fbacea025d3790095e72529710db3493ec8bc66de19ff5c5469f0cca/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-04-30 05:03:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hsultf73vtvaexjxsaev44sss4inwnet5sf4m3pbt724kru7btfa._file

Verdict:

malicious

RedLineStealer

482211794587f7985f0027197ed0b69969d062034f6b1fdf67d563c27885871e

RedLineStealer

6d7ea4c30059878e650cf86cb44fb644dc1e46329f1f4031f50cd6b05346f3d6

RedLineStealer

81146d49bf015b9202eb30a45d224553f08ec936b25d5e3d21b4ad611b36d112

RedLineStealer

878ec26100fae85a47ead5efd4c2a3e8b87ed4d216bb61db244f902d609592d9

RedLineStealer

c154a961ac8e784a6a42aec1733a6e7c0287958fc27f500f4341dfa4d763556d

RedLineStealer

c3839b633f21352702166f574f09962974fc30bbae72fb8ec0557c8c89a3342a

RedLineStealer

dbb85aad99b7c16233015e2672a5bbcb3c21858652ff72e781766c0851d78d32

RedLineStealer

e8ee3601067ef801d52e9348435b6462b8e1b6aa28bf5d375b344a67077d89f9

RedLineStealer

eaafd7f78486e0c2e91d8e0fe27b7cfc73dcbc5b470182065da6c0883f77dc64

RedLineStealer

+ 14 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/230513-2xc38scb6v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Windows security modification

Modifies Windows Defender Real-time Protection settings

Unpacked files

SH256 hash:

f3df0d29138b19fbd0869474e7060f3dc79aa16f6467043b338a86c5b534e1e4

MD5 hash:

3560774b39ee53a53252760a26e5ff0e

SHA1 hash:

d6d9d4a3d66ca2b83ffee3f3a781cfbdd3653533

Detections:

HealerAVKiller

Link:

https://www.unpac.me/results/b9eb0165-62fc-4ffa-b96a-5f880df85353/

Parent samples :

1bf8638a91190e3d6107b1943fb70168db47f5ce320ca582217989bfd052d1ea
eaafd7f78486e0c2e91d8e0fe27b7cfc73dcbc5b470182065da6c0883f77dc64
3ca8b997fbacea025d3790095e72529710db3493ec8bc66de19ff5c5469f0cca
2fd9efbb6f7feba7ab6b9dfbd177874b06ed33bee94c231f1f4466323debb89e

SH256 hash:

ba638cf0c88c2f2be51941734f14ec6ef4d3ec374b848ea181e545e4ce646e89

MD5 hash:

24dae5054a0797b7a2a1fb96cd049f35

SHA1 hash:

bbbe5ace340f4822b315dfad4d34be300b6e6062

Link:

https://www.unpac.me/results/b9eb0165-62fc-4ffa-b96a-5f880df85353/

SH256 hash:

2471473709c9c56a4fdfee2420ead9dd1604b66e8352e5e5686723629d1d77f7

MD5 hash:

ffbd3831141f5a446ec7513a950ca4a0

SHA1 hash:

a0367cbf08e6d9ac8ef1e4ec30aabf1444bf7374

Detections:

HealerAVKiller

Link:

https://www.unpac.me/results/b9eb0165-62fc-4ffa-b96a-5f880df85353/

Parent samples :

SH256 hash:

3ca8b997fbacea025d3790095e72529710db3493ec8bc66de19ff5c5469f0cca

MD5 hash:

cb11142f93f8395c3f1b534a483b4dd6

SHA1 hash:

00c77cb6c07db1aee664f2232f76fd1e54a94c76

Link:

https://www.unpac.me/results/b9eb0165-62fc-4ffa-b96a-5f880df85353/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3ca8b997fbac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ca8b997fbacea025d3790095e72529710db3493ec8bc66de19ff5c5469f0cca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389223/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample