MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17
SHA3-384 hash: 372b7698692b1b78367682958e86d5e939e657ce4c3ecea0736f5e597ae3f24f9706ebe7258d4f3c65fce07ee4df6f5c
SHA1 hash: dbe026d99092bec815874ee5b8474d8f0a5ca5ef
MD5 hash: 743f552162e8959725c5c70715285500
humanhash: september-artist-mike-georgia
File name:743f552162e8959725c5c70715285500
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:108'792 bytes
First seen:2021-12-18 09:05:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:ZmxG0A1h+HDoeuL4KZ7mv06VodjY22bZDKX/Jjd6bx4J9200TQ:ZmxLAeHDNuLH6vu8N2JEs89Q
Threatray 56 similar samples on MalwareBazaar
TLSH T133B34B6077CCD914E7BE4E75B8B1519883F4F0132911DB4F1EC654FE1EA2B80AA12AF6
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:Pyrostat
Issuer:Pyrostat
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-08T08:00:00Z
Valid to:2031-12-15T08:00:00Z
Serial number: 52b47714d99a02aa43b32efe5a19e7ae
Thumbprint Algorithm:SHA256
Thumbprint: ba4f50c73b9998c5735e9ae1fa19f828246b13d62fcf0b55639c800dadf5b2a3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.23630.9141.24654.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
hacktool obfuscated overlay packed redline stealer
Link:
https://www.filescan.io/uploads/61bda4448991ba72b38af35e/reports/e94640fc-c598-41a2-95f9-c76755802fd1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d56a3dec-c96f-434f-a4ac-892b70b9e729
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/909484
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 09:05:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hw6vjb5rtkqbtow6c3mqmemvemfxiksf3wzoieoq4237vrtxrylq._file
Verdict:
malicious
Similar samples:
17cf75eb6b87af72f6fbddbe3ce9653f74ef56718198160c454086bb87866676
RedLineStealer
1b8dab946d42aa832cfd9df68593c311e979491f2bd7df7f6f1acb9427215b68
RedLineStealer
565b1484478b1644bd1e8954e079f653b8f71c9f16997d4b7fc53f83da609e35
RedLineStealer
6467af2474360133a3d9fd753097c250d5673f5a6a8b58fd5ac773486cd1ae7c
RedLineStealer
73942b1b5a8146090a40fe50a67c7c86c739329506db9ff5adc638ed7bb1654e
RedLineStealer
79d53f943bc31422487463c4990423e0aeb8960c61e8608b25222c07a4066319
RedLineStealer
c14c17020a470e53754dc2654847e9fbc6fa6f0326e515d10c6a581ad2c8825f
RedLineStealer
c937ab727bd34bd8c83e2ea01054cd60363ca35bd99fccf46b1f1f1f119715db
RedLineStealer
ed3b91ec20184139f90c2432c7d90567dc9c47afc45a87bb4d72fa4a6c64edd9
RedLineStealer
+ 46 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:2021xadmintest1512 discovery spyware stealer
Link:
https://tria.ge/reports/211218-k17nksfefj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Malware Config
C2 Extraction:
saninolece.xyz:80
Unpacked files
SH256 hash:
3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17
MD5 hash:
743f552162e8959725c5c70715285500
SHA1 hash:
dbe026d99092bec815874ee5b8474d8f0a5ca5ef
Link:
https://www.unpac.me/results/13bb6bef-7312-44da-a8f9-fce80ba66e32/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3dbd5487b19a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214961/
  
URLhaus
https://urlhaus.abuse.ch/url/1895314/

Comments


Avatar
zbet commented on 2021-12-18 09:05:01 UTC

url : hxxp://45.159.189.39:8080/1/TestOtSupa.exe