MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d8a2fc96d40eb7da26413ef54486ce94e3e89730bf15602e7ecbbc5ad852c20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d8a2fc96d40eb7da26413ef54486ce94e3e89730bf15602e7ecbbc5ad852c20
SHA3-384 hash: af12e52a4ffdbdf9d55c749e27697a810f56629a88bdde01e5e7cb6f410b7e40db9deabb3d2041e071e524041f0dc4bd
SHA1 hash: 22eec86262fd21a876f2ff87e5d41f0759df490f
MD5 hash: 60f03227d5b61821a15b3b3297c1012b
humanhash: vegan-oklahoma-ceiling-fruit
File name:60f03227d5b61821a15b3b3297c1012b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:657'920 bytes
First seen:2021-08-21 21:10:29 UTC
Last seen:2021-08-21 21:51:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad1c5bf15a899fcfef408e3485448e67 (11 x RedLineStealer, 2 x StealthWorker, 2 x Smoke Loader)
ssdeep 12288:itEQdlUgG7MIsvQjPWV8X2xFNf0PoyJGEqwRfmT1Ax3GerAt1yITGBn:EUgG7Eg2xFNkoyuwRf/rrq1yBn
Threatray 639 similar samples on MalwareBazaar
TLSH T1F5E4F120B6A0C139F4F311F0556DA3A96928BDB26F2041C773C63BEE96376E49D30697
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
31.44.3.94:62655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
31.44.3.94:62655 https://threatfox.abuse.ch/ioc/192542/

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60f03227d5b61821a15b3b3297c1012b.exe
Verdict:
Malicious activity
Analysis date:
2021-08-21 21:11:52 UTC
Tags:
evasion opendir
Link:
https://app.any.run/tasks/8b55f09d-ece5-47b4-a8c9-a0f6e6582347

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLineDropperAHK
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181127/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.62415.10660.22363.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebba7a65-2494-4c99-b54b-04fa949f0662
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/836859
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Creates HTML files with .exe extension (expired dropper behavior)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Yara detected Autohotkey Downloader Generic
Yara detected Evader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d8a2fc96d40eb7da26413ef54486ce94e3e89730bf15602e7ecbbc5ad852c20/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-08-21 12:52:50 UTC
AV detection:
23 of 47 (48.94%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwfc7slnidvx3itecpxvisdm5fhd5cltbpyvmaxh5s54llmffqqa._file
Verdict:
unknown
Similar samples:
09d043a7f289686e33b06b331ea2882c7064b9e2a6712dfeff1752e8ffb7ec43
RedLineStealer
0fe6eae5e8fe80590669cc6c0e6878d1d17dbb64a3b9c594334decc965b8683a
RedLineStealer
435893fea822f63cc3bd3f725acd416dff2d1bd8838bf80318d195864a44de09
RedLineStealer
9024b91ce7d51dcba37b1c4d50e89d0819ef236f2e8adaac8e935dbdc49de99c
RedLineStealer
a4ba89389929db2c9baa52e9b858164dad161d53ba61a73712a2c3ba92b49ec5
RedLineStealer
c05415ab6dba7038b35bfab04610a8d0038b3f99e5795f616c65c924c2765c99
RedLineStealer
d1393748b163640113850583346ee301192def81a399142aa276691eecd4314a
RedLineStealer
d13c6afa7b77e0426a8b83a84868d4b86bd2294cf6f1d37c4a8942c881402925
RedLineStealer
d51dd44a65bdd80d1dfcfb6424668f25933ed52348e0eae8c5beac66b200410c
RedLineStealer
+ 629 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/210821-6793ffjqg6/
Behaviour
Checks processor information in registry
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Unpacked files
SH256 hash:
28ab8fef0188d68740bcb68cc97fd084ff2cad58c0ab70737573e98a303a3256
MD5 hash:
644c75d5435f393887dbe9f4788b27ce
SHA1 hash:
51790006e18204d3843248ed4416cf670ab14a0c
Link:
https://www.unpac.me/results/e052998c-b938-44ca-8ef0-310ad10848a6/
SH256 hash:
3d8a2fc96d40eb7da26413ef54486ce94e3e89730bf15602e7ecbbc5ad852c20
MD5 hash:
60f03227d5b61821a15b3b3297c1012b
SHA1 hash:
22eec86262fd21a876f2ff87e5d41f0759df490f
Link:
https://www.unpac.me/results/e052998c-b938-44ca-8ef0-310ad10848a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d8a2fc96d40eb7da26413ef54486ce94e3e89730bf15602e7ecbbc5ad852c20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3d8a2fc96d40eb7da26413ef54486ce94e3e89730bf15602e7ecbbc5ad852c20

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1547068/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181127/

Comments