MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e3d08ba09905af622fd8e48be0957a381695fed7878555205ba4e900e065fe5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	3e3d08ba09905af622fd8e48be0957a381695fed7878555205ba4e900e065fe5
SHA3-384 hash:	a1f6183f7ffff3d9bfc2c47931529f62a848a1c3ca1e282b7af97ef264165bc1d551e281c20368acf71ebafc41483949
SHA1 hash:	31221dffa9286e860b62d0953e0e0db5f808dc7b
MD5 hash:	68e3c73c9189424763b2924f8db094e2
humanhash:	mars-harry-high-stairway
File name:	68e3c73c9189424763b2924f8db094e2.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'352'704 bytes
First seen:	2022-01-16 20:31:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f6af73011d9ad7cbccf66eb190442910 (42 x RedLineStealer, 8 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	24576:8M05Yb0aU+sOwCVkh59kSgd9m4yuhWxwrPQ+auDmukEaHNYK3gBm5nyeVOg9:8n5Yb0aU+fvd9mjorYruDDNaUm5nyg9
Threatray	1'003 similar samples on MalwareBazaar
TLSH	T17D55337390CB6E2DD1441DFE8E86F281AF690D10F96847985359C527A07CB168E8B7F3
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
65.108.29.233:23870

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
65.108.29.233:23870	https://threatfox.abuse.ch/ioc/295770/

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

68e3c73c9189424763b2924f8db094e2.exe

Verdict:

Malicious activity

Analysis date:

2022-01-16 20:32:51 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e65bc154-72e1-4e51-8a44-ff18e622482c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/219655/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Malware.Pwsx-9934961-0

Win.Malware.Pwsx-9934967-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

DNS request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61e480cbe997359713fa4e08/reports/81096764-2487-42db-a758-49160c4f8a11/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/150f5f2b-61f6-49c6-82c1-9fdd0877c9bd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/921472

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-16 20:32:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hy6qroqjsbnpmix5rzel4ckxuoawsx7npb4fkuqfxjhjadqgl7sq._file

Verdict:

malicious

Label(s):

trickbot

RedLineStealer

3c820da115d083116a24d73cc715283f26b5f4cae406e79e8faf088c682a172e

RedLineStealer

63680cb50ca4c6ec5837dbc45a9a58f9b27fd33fb47e37e4e848225d0d0a1f2f

RedLineStealer

66c13284aed1c04524b47ce98cfa70843f88b16733b9d7c14266c8575502df9b

RedLineStealer

675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542

RedLineStealer

6b316e9b28740fd58ef9e2bcd2843b6d86955bdc41f350ae06ff617ef1380a6b

RedLineStealer

6b70b5494393d3644de4dd90ae5a906407175daea6ee97c0419997e99b4cdfd0

RedLineStealer

81c62d3a5523b804ee83aadc9ca7d648fa028073d8f8e6f0d39123ca402d739e

RedLineStealer

96283ef1de41a1a5c4e7e0fa5ead383995198c25ae71d19d0a4138333ce88dfb

RedLineStealer

edf9a12ec428525419eacd03e0e480e111dd66ec5ea75c116171e1ae6317ac3d

RedLineStealer

+ 993 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion spyware trojan

Link:

https://tria.ge/reports/220116-zbbl6sgba5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

e94165d94d18d3588b1fea1895eb2f11ae9b3cb790ee9505006e1d272e5ecaad

MD5 hash:

2d83cbdf1fec34759fc4bf530d6ec479

SHA1 hash:

0c081d633d767a5c07c4f77b49a349200ba7da6e

Link:

https://www.unpac.me/results/8e26094f-2952-4c8e-8b98-17953a9281aa/

SH256 hash:

3e3d08ba09905af622fd8e48be0957a381695fed7878555205ba4e900e065fe5

MD5 hash:

68e3c73c9189424763b2924f8db094e2

SHA1 hash:

31221dffa9286e860b62d0953e0e0db5f808dc7b

Link:

https://www.unpac.me/results/8e26094f-2952-4c8e-8b98-17953a9281aa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e3d08ba09905af622fd8e48be0957a381695fed7878555205ba4e900e065fe5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/219655/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample