MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e5f0764c7506f125bf759b8782d2241e50f52b020b2bcc049f3cd39de4c42d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 2 File information Comments

SHA256 hash:	3e5f0764c7506f125bf759b8782d2241e50f52b020b2bcc049f3cd39de4c42d8
SHA3-384 hash:	cb4c9f0a7e1b3066ec4522d41b3c6ea558ae7bba6581e48b942ead8e1f0b8a1b53593ed914667b9b51584eb40839d126
SHA1 hash:	4530c3f91d4848865ec7d6d26557c9829194a86b
MD5 hash:	1c0ca1754d2b82991978b1aa032cac40
humanhash:	uranus-lithium-undress-fish
File name:	1c0ca1754d2b82991978b1aa032cac40.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	300'472 bytes
First seen:	2022-10-05 22:40:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2d5ec24fb9d2ee4cf8208f9e16125d4f (5 x Smoke Loader, 3 x GCleaner, 3 x ArkeiStealer)
ssdeep	6144:I2pwYMoI4AaKnttioFcWm4XgxGpzL5X6bJbPDt3V2o:I2pwYMoI4Avt8oFc8gxG9Vq1ntH
Threatray	8'078 similar samples on MalwareBazaar
TLSH	T1455401323860D972D5636A7059EAD662EF7EF6821B74848B374906AD1F123E04F3D30E
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8070ecd9c898b100 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
89.22.235.53:16640

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
89.22.235.53:16640	https://threatfox.abuse.ch/ioc/871780/

Intelligence

File Origin

# of uploads :

# of downloads :

312

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317043/

Detection(s):

Win.Packed.Dropperx-9973281-0

Win.Packed.Dropperx-9973291-0

Win.Packed.Crypterx-9973294-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/633e07fe122517153553809d/reports/c1c2f3d4-3944-4da8-9753-e1130b5341ec/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f33a9647-91da-40d0-b356-b8fca2c310cd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1084535

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e5f0764c7506f125bf759b8782d2241e50f52b020b2bcc049f3cd39de4c42d8/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-10-03 17:19:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hzpqozghkbxrew7xlg4hqljcihsq6uvqeczlzqcj6pgttxsmilma._file

Verdict:

malicious

RedLineStealer

0dcb665bf83e5de02dac89f4c72741b5330fa15bd8bb45508a756d9d6f5f3a72

RedLineStealer

66307798a05a9774f4d9ca4569ae44d81f738934d70797d2299d0289e5825e81

RedLineStealer

670b1670bc457d64c885cbca3aebcf462aae5086707585f610c4fedc8f4ee073

RedLineStealer

6985cf21dddfea3de38364fc0916058b3a051e8a8c2b513ba4457f8f127909ae

RedLineStealer

b30432c3fa683e21501f1ad3a45edd4de2db3c5764aa1bec41a88759af426bfb

RedLineStealer

cc04d694f64cf0c0e875c279d0aca58c18fe6796dfd94282b61039d400126900

RedLineStealer

ec15d31bf11d68867c2f3a2dec4b6de9a15be7e15d9be18ce330e439b1e9aab2

RedLineStealer

+ 8'068 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:20221001 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/221005-2l3vhsfha3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

89.22.235.53:16640

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3c0a87b0-325c-4096-b877-5709702dada6

Unpacked files

SH256 hash:

8b0ddcc9f85ead58329091e00d62f6a138cdf1e154bd8b994370515e4c51f949

MD5 hash:

769811ac7d52d1eb83a9822719bc0e50

SHA1 hash:

de36b6daba439c9238d6e31bf679e635c155c993

Link:

https://www.unpac.me/results/96da9bbe-4b9d-4bc6-b426-4b397f88a342/

SH256 hash:

3793a5ab4a068a09f34517c8b109b7a67ac1909d462f15956f0e112cec5e3a85

MD5 hash:

5d15b604c382abd763d5d502403ae02a

SHA1 hash:

8a688687f9101fd1f75de2a59615c60c17d6f423

Link:

https://www.unpac.me/results/96da9bbe-4b9d-4bc6-b426-4b397f88a342/

SH256 hash:

575355718d976abbaee6b066f85fa8eb4ea49c2a204b0f70e039aa2a5d423465

MD5 hash:

4ca7d9918409033e7a009ace2355e1a3

SHA1 hash:

1e8243b99cffcc73f3bb9daf1660fc1a022739b0

Link:

https://www.unpac.me/results/96da9bbe-4b9d-4bc6-b426-4b397f88a342/

SH256 hash:

3e5f0764c7506f125bf759b8782d2241e50f52b020b2bcc049f3cd39de4c42d8

MD5 hash:

1c0ca1754d2b82991978b1aa032cac40

SHA1 hash:

4530c3f91d4848865ec7d6d26557c9829194a86b

Link:

https://www.unpac.me/results/96da9bbe-4b9d-4bc6-b426-4b397f88a342/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3e5f0764c750/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/3e5f0764c7506f125bf759b8782d2241e50f52b020b2bcc049f3cd39de4c42d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/317043/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample