MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d05fee7a89dfce1ad029562fa7b84346bce12d932214cde9b26f266d53ce49c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d05fee7a89dfce1ad029562fa7b84346bce12d932214cde9b26f266d53ce49c
SHA3-384 hash: ad88cf9e3a66ea57cff49c80c32ba919771e5b04441bda8341be67de641585880551b746548610ec006d9ab42f46d2dc
SHA1 hash: 411a5706daf68e47dd828af8c2616d67420b7a94
MD5 hash: 2d2f33da036cf7945401ec14ae9ff6ca
humanhash: arkansas-jersey-violet-red
File name:2d2f33da036cf7945401ec14ae9ff6ca
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:582'536 bytes
First seen:2021-06-10 23:13:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 12288:wh1Lk70TnvjcM1CMgZ8cVnf3a09pKmPatOYLi7prbq8PK9W8xprVDHMg:Mk70TrcMIMI8cVf3a09p0tO51SeB8rlF
Threatray 5 similar samples on MalwareBazaar
TLSH 4DC402107291D6B3D473113188EA8B399E3571B24FA996D7FADD177A2F113E0A2322CD
Reporter zbetcheckin
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:FESTAP s.r.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-11-19T00:00:00Z
Valid to:2021-11-19T23:59:59Z
Serial number: 20cd4bfadbea368fb0e36af94e5fbcce
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 4bb2adcd625cd911e5819e625a25c4e51ffeeec12c62f875a4bd0de88ec181e9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file2.exe
Verdict:
Malicious activity
Analysis date:
2021-04-27 15:30:28 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/bea42b85-99ee-443c-a2e3-700f5761cc72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165976/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Replacing files
Launching a process
Creating a window
Searching for the window
DNS request
Running batch commands
Creating a file
Using the Windows Management Instrumentation requests
Launching a tool to kill processes
Forced shutdown of a browser
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/800563
Signature
Antivirus / Scanner detection for submitted sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432959 Sample: fuoAl0V94I Startdate: 11/06/2021 Architecture: WINDOWS Score: 64 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 7 fuoAl0V94I.exe 16 4 2->7         started        process3 dnsIp4 33 p6701.softemstore.xyz 172.67.162.27, 443, 49724 CLOUDFLARENETUS United States 7->33 29 C:\Windows\System32\drivers\etc\hosts, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\fuoAl0V94I.exe.log, ASCII 7->31 dropped 43 Performs DNS queries to domains with low reputation 7->43 45 Modifies the hosts file 7->45 12 chrome.exe 9 74 7->12         started        15 cmd.exe 1 7->15         started        17 cmd.exe 1 7->17         started        file5 signatures6 process7 dnsIp8 35 192.168.2.1 unknown unknown 12->35 37 239.255.255.250 unknown Reserved 12->37 19 chrome.exe 19 12->19         started        21 taskkill.exe 1 15->21         started        23 conhost.exe 15->23         started        25 taskkill.exe 1 17->25         started        27 conhost.exe 17->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d05fee7a89dfce1ad029562fa7b84346bce12d932214cde9b26f266d53ce49c/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 20:56:55 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=huc75z5itx6odlicsvrpu64egrv44ewzgiquzxu3e3zgnvj44soa._file
Verdict:
malicious
Similar samples:
85d879be258470ed22d55bb6fda8be5d0b7d480c23d95b252516e85ccad2fec4
RedLineStealer
a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4
RedLineStealer
aeb1bfcef382789091e72e2d6cae6e471123d0e8e7a5f39c64abf5a3d9a4eaa8
RedLineStealer
c2a307a15f392b72cc51b12a1061c6ad7a2e76843754ee3d2e7b8ba0bc17e540
RedLineStealer
cce923d986150e68dbb2b1686f4cb3af665b2d473d66226e20e0d1509d04b192
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210610-cpww8qdfa2/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Deletes itself
Reads user/profile data of web browsers
Drops file in Drivers directory
Unpacked files
SH256 hash:
62701fe365cc2644d88d36574b663b8ea69ee4ca7c50450069e0c4b9007fa12d
MD5 hash:
a9be257eb251faa39ef792cef986416e
SHA1 hash:
cdc8c26025242d5fe94f1d6c19ee8d7beb364d2f
Link:
https://www.unpac.me/results/5b594459-990a-41c0-9cac-760667ea5759/
SH256 hash:
5fbdaa6942b8c31cac996e309a8de8a545618d986e49f3dd208804b0b4d9c6a0
MD5 hash:
e58b6b47395d12f7be5b5859b128a13a
SHA1 hash:
9b365a89b85a4306acff247f1138408e9d5b3371
Link:
https://www.unpac.me/results/5b594459-990a-41c0-9cac-760667ea5759/
SH256 hash:
c9761860c27baae19ae977efe9d1d2eb9c3279e792f05045b51046dd2dc3ffb7
MD5 hash:
9e761803fc99198716323f0ac9681a8d
SHA1 hash:
90dc44363ad873777e1d9c37e3c76b52688878d8
Link:
https://www.unpac.me/results/5b594459-990a-41c0-9cac-760667ea5759/
SH256 hash:
da29c870d9ae1c5c3ab4e13277478e231412a8156d51b46635d32eb2197caf76
MD5 hash:
629f5017a6e8067cb621fa0167f9eef9
SHA1 hash:
5f4503ee9cef9675b25295842fda111b8ef3c5af
Link:
https://www.unpac.me/results/5b594459-990a-41c0-9cac-760667ea5759/
SH256 hash:
3d05fee7a89dfce1ad029562fa7b84346bce12d932214cde9b26f266d53ce49c
MD5 hash:
2d2f33da036cf7945401ec14ae9ff6ca
SHA1 hash:
411a5706daf68e47dd828af8c2616d67420b7a94
Link:
https://www.unpac.me/results/5b594459-990a-41c0-9cac-760667ea5759/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d05fee7a89dfce1ad029562fa7b84346bce12d932214cde9b26f266d53ce49c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3d05fee7a89dfce1ad029562fa7b84346bce12d932214cde9b26f266d53ce49c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1351526/
Cape
Cape
https://www.capesandbox.com/analysis/165976/
  
URLhaus
https://urlhaus.abuse.ch/url/1351664/

Comments