MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51
SHA3-384 hash: 815265bb468f845e2bd985f8e00d116fc0faebd17a301c153782271628cfdfe45e04f6910729c0fb5de369fcf4189279
SHA1 hash: c9322c3e434935dedc3052eb13112c8c99678e6a
MD5 hash: 4755b942c3ebe6582e5ebe5f7a78b1fa
humanhash: maine-football-tennis-lima
File name:4755b942c3ebe6582e5ebe5f7a78b1fa.bin.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:279'552 bytes
First seen:2023-06-19 12:15:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d91fa928c738702455bfa66ac3685503 (23 x RedLineStealer, 7 x Amadey, 1 x Healer)
ssdeep 6144:9Xukab22twAUjnFM9P3Z73jLxYKJk+JyvVLMl:daC3FOLxtRyvV
Threatray 1'678 similar samples on MalwareBazaar
TLSH T15A544B0FB5C50336E471103D2BB02956EDEDBC910D34ADB73A6CC329156BBE2A9690DE
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.154.181.39:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4755b942c3ebe6582e5ebe5f7a78b1fa.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 12:18:07 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/8590a27b-67ca-430a-a8cd-9394d89b8eaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400441/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.22065.28703.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware masquerade
Link:
https://www.filescan.io/uploads/6490470210461c2d676a6bda/reports/dff5f9c5-3fc1-4eff-aee1-5cd0497f6219/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b2505816-c9d8-491e-8f05-e52515ddff0f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257365
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 12:16:04 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hszywlftvj642rmdohxkqyye3u67tvs66shlsu7tqouxra2xlviq._file
Verdict:
malicious
Similar samples:
173dab5f308f27a0e91706ba7cca550ad73d6d4806480099692f4f498a8b2b4d
RedLineStealer
3023836b37a47b6599e276d2d7553299e07a1c372c40d47659d6c041595b1aa6
RedLineStealer
3b7e4f66c4398814f9c83b444dcc14b5ba2e407f00c411a9059247b40266d4d6
RedLineStealer
4fc91338a68b0d910c0cda912862387fd02b96e96be18c58a895d078005a5207
RedLineStealer
521dcc37d3061837443e0e903d96433ce572e186e7a41a92a0b111f8d2fdddc7
RedLineStealer
a506164efe62709bde219f076979078ffd7c73f0755afe8349906861040b4899
RedLineStealer
b96d28c0c43a8bc8c124dfbd69b03e2ea83c698024a7bd4e3770a2465e425c44
RedLineStealer
bd5eefb71c71dcf1dc8c90a4607417ab1be8e947b399baac1721b40e7cb7cb04
RedLineStealer
c2638a87bb13c43789a46338781509e9cc98aa23d98b7d3d446df2bd18ef954b
RedLineStealer
f99105d3e75dd3ff6a90047b7ba912f4fcec7234695b9355a5d9cfb6db0fb05c
RedLineStealer
+ 1'668 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@sogood1337 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230619-pffrksdg58/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
vikaneleneer.shop:80
Unpacked files
SH256 hash:
9d7db71c1503a39c212ae19c34abcfa04e388869f0389504ff6b496ae697d56c
MD5 hash:
ac6e2bf4623442bebed60ce3c0e1b3b0
SHA1 hash:
c0f7dbc3295065e9ab91333e37c26ffdfc9c5c1c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/d193d5ab-6337-433d-adc9-8383f3b05840/
Parent samples :
3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51
fde7d0b48ad316598693b9cc8a47f9a927d87da67027384ef6719375a8cc664c
SH256 hash:
d80e375009f93d2b97a23e4bb6e7712ecc425fa827fb7b0c06ea67e80a6bcfd0
MD5 hash:
3f5c925f7873345fe3d762d35815aee5
SHA1 hash:
8ec87888d993bfd424ac920bc95dc54eca999dea
Link:
https://www.unpac.me/results/d193d5ab-6337-433d-adc9-8383f3b05840/
SH256 hash:
3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51
MD5 hash:
4755b942c3ebe6582e5ebe5f7a78b1fa
SHA1 hash:
c9322c3e434935dedc3052eb13112c8c99678e6a
Link:
https://www.unpac.me/results/d193d5ab-6337-433d-adc9-8383f3b05840/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3cb38b2cb3aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cb38b2cb3aa7dcd458371eea86304dd3df9d65ef48eb953f383a97883575d51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400441/

Comments