MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e1ddb36206f3272e78b1400e35a71bad7d503c8e81d85a4cc9958c53a8c9ba6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	3e1ddb36206f3272e78b1400e35a71bad7d503c8e81d85a4cc9958c53a8c9ba6
SHA3-384 hash:	e2d2ea0d4c16322dbc21fef4396b907b5bee2a8748a4cd3638870a21a97675723c01c3049016cac265eeaec1f7ca638c
SHA1 hash:	6c29663ee0ee494c91901a0e7b73462ec2f826e6
MD5 hash:	90b3057614a3e0d189f8aebe2eb5259e
humanhash:	september-artist-butter-fifteen
File name:	setup.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'647'793 bytes
First seen:	2022-11-30 15:05:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	26093aeed04a948c138ea9102034d47f (4 x RedLineStealer, 1 x RecordBreaker)
ssdeep	24576:7nMZFDozaqLwkhp0JAhUsBdlbWgnAoHfDR74mh/30as/W4M/75+35qfDUY1ggDeI:zMYFdLnAo/Db/3Vs/4/14qfDUYBk7q
Threatray	21 similar samples on MalwareBazaar
TLSH	T110C52B036A8B0D75DDD27BB4A1CB633AA738ED34CA2A9F7FB608C13559531C46C0A752
TrID	32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 20.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	JAMESWT_WT
Tags:	exe fakecrack RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2022-12-01 01:13:36 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/560f20ef-a4c9-4f53-b004-e4b4c88b92ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/340170/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Connecting to a non-recommended domain

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/6387715e559d07a06f48ce09/reports/b17675d4-f782-4367-adbc-dbb026937e71/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1eccae68-ba2c-4d36-8f07-ecfea239c001

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1124090

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e1ddb36206f3272e78b1400e35a71bad7d503c8e81d85a4cc9958c53a8c9ba6/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-30 15:06:14 UTC

File Type:

PE (Exe)

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hyo5wnran4zhfz4lcqaogwtrxll5ka6i5aoyljgmtfmmkoumtota._file

Verdict:

malicious

RedLineStealer

460d5aa48b9a922f9b8789e0b3373d861b54ec304a900468e2af3721d3d549eb

RedLineStealer

49ebd06a80f2c1cf1f3f0e6a760e7bafc360982d5f7ed03d6fe902a67294a2be

RedLineStealer

59cc3561cf457f8e258eaac0dcaa33e9f2294400b92af8bfb5c5b66290322236

RedLineStealer

88af1e9043d969296da2fba89cfe6d2cd01174d2fcc5c78d63d90191704b8e90

RedLineStealer

8edce063ac9af61dd0b493b9dec7e959b93021ad55a07cfe6e2b5519b46581f2

RedLineStealer

adf21d39c8e8e0b6e733faecf2ac396725724af70be5fe6d2da5442741ad6a25

RedLineStealer

cfc689df6491f5e7ff691170453230df1bed374d19fa8ac9e4e48770892f70f7

RedLineStealer

+ 11 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@reeeebl infostealer spyware

Link:

https://tria.ge/reports/221130-sgrf9aah83/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

Malware Config

C2 Extraction:

79.137.192.20:7466

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bdb544c8-f81a-4550-b958-d9428c1aed66

Unpacked files

SH256 hash:

ec5f4ce31c0890adbd81773c503cd63ff1db02bf6a025df5ed6c352339ebbb4e

MD5 hash:

7c4718dc2b6c74a339c9870ef092b580

SHA1 hash:

27d9399cfb95dca6aec3c9bbe86902d551713776

Detections:

redline

Link:

https://www.unpac.me/results/50fa7d81-e5d8-4623-b92f-6ace6e90642b/

SH256 hash:

3e1ddb36206f3272e78b1400e35a71bad7d503c8e81d85a4cc9958c53a8c9ba6

MD5 hash:

90b3057614a3e0d189f8aebe2eb5259e

SHA1 hash:

6c29663ee0ee494c91901a0e7b73462ec2f826e6

Link:

https://www.unpac.me/results/50fa7d81-e5d8-4623-b92f-6ace6e90642b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3e1ddb36206f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e1ddb36206f3272e78b1400e35a71bad7d503c8e81d85a4cc9958c53a8c9ba6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/340170/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample