MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d5e76babb87991d4abec7c048b34074ccc7c680f49639e0c55e5be0ee6df33d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d5e76babb87991d4abec7c048b34074ccc7c680f49639e0c55e5be0ee6df33d
SHA3-384 hash: 6545ca7e23a67d7aa16ac53dbe19e7faed314f97f50b0ecb045b5f49cf876a0246ee0c98cfc65bc7f0ce14d78570c7a4
SHA1 hash: 3f2d89bfea22440d648e4293ff2edef1128733c0
MD5 hash: a9dc8c4328dd29d83e1a8456edea8163
humanhash: blossom-eighteen-winner-july
File name:ef2e6594-b82c-48a1-bc72-732893199748.bat
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:79'230 bytes
First seen:2023-01-18 10:35:25 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:I+DuFtjXxhyLADFSskZ+uucHa5y+LMfBaT9mpjD+IrnTYB4Z4:VCSwwhuLQ+L5T9em+nTed
Threatray 2'860 similar samples on MalwareBazaar
TLSH T17773F13DAB51451BA4A6838C5CCA98ABD3A92C81B8D093DE53F02BB730BDC353E4557D
Reporter 0xToxin
Tags:bat RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Prompt Response.zip
Verdict:
Malicious activity
Analysis date:
2023-01-17 20:33:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/27e493d6-9330-405f-b3d2-2960d2c62907

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354116/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
50%
Link:
https://www.filescan.io/uploads/63c7cb94e4e81283f94e5d9a/reports/9ba55ced-a576-4bf5-8acf-4ba909447640/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1153778
Signature
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames powershell.exe to bypass HIPS
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786511 Sample: ef2e6594-b82c-48a1-bc72-732... Startdate: 18/01/2023 Architecture: WINDOWS Score: 88 32 Snort IDS alert for network traffic 2->32 34 Yara detected RedLine Stealer 2->34 8 cmd.exe 2 2->8         started        process3 file4 26 ef2e6594-b82c-48a1...32893199748.bat.exe, PE32+ 8->26 dropped 36 Renames powershell.exe to bypass HIPS 8->36 12 ef2e6594-b82c-48a1-bc72-732893199748.bat.exe 14 42 8->12         started        16 conhost.exe 8->16         started        signatures5 process6 dnsIp7 28 109.107.179.248, 49714, 49722, 80 TELEPORT-TV-ASRU Russian Federation 12->28 30 api.ip.sb 12->30 38 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->38 40 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->40 42 Self deletion via cmd or bat file 12->42 44 2 other signatures 12->44 18 cmd.exe 1 12->18         started        signatures8 process9 process10 20 conhost.exe 18->20         started        22 choice.exe 1 18->22         started        24 attrib.exe 1 18->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d5e76babb87991d4abec7c048b34074ccc7c680f49639e0c55e5be0ee6df33d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvphnov3q6mr2sv6y7aerm2aotgmprua6sldtygflzn6b3tn6m6q._file
Verdict:
malicious
Similar samples:
452025fa804107ed4d121a58ac4cf7d6c8e5e91c936c5245d0a215b948fc5f6d
RedLineStealer
49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c
RedLineStealer
6db727f75d26827c936e8380141708c25b9df8c3869fb6bdfe1899bff95781ff
RedLineStealer
80c1568ef979e0d9881fa33ee69c3f8c15caa924acd4df9e4c951a7047577caa
RedLineStealer
d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
RedLineStealer
d3850a52c492fd7be069cf02e5ca9da6bff3d30fa09b97aa3e9c79979f96d170
RedLineStealer
fa6422c2f12f6bd2e3e59e7e6492e7573124d131a811bd0a5368b6f1365f3916
RedLineStealer
+ 2'850 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230118-mm9l5abf3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d5e76babb87991d4abec7c048b34074ccc7c680f49639e0c55e5be0ee6df33d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354116/

Comments