MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e64d7c3c2fc7e7b55352165b23986bf8fde895b989c7c9a8480130666a546bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	3e64d7c3c2fc7e7b55352165b23986bf8fde895b989c7c9a8480130666a546bf
SHA3-384 hash:	1b6a23963c1cb41bdbb65b3d62d002ca5987d6340fb48669e3151edf0b028ef933d933ffc6f1b04545424285943dfca9
SHA1 hash:	c0aa6c0eaaee32131fbec95897bc5022d7deb71a
MD5 hash:	b5b1f83525d80662248e101459354a7f
humanhash:	lake-music-idaho-comet
File name:	b5b1f83525d80662248e101459354a7f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	407'040 bytes
First seen:	2021-11-03 20:17:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e024db68009cf7f32dd817cae1867bf3 (6 x RedLineStealer, 2 x AZORult, 2 x RaccoonStealer)
ssdeep	6144:crkmDhFh/mT++w5MDZ7bMeHXRjaxPEdxxr9k90RJAFf:cwwFm+B1e3RjaxPEFr9kKR4f
TLSH	T12184BE00EBA1C034F1B216F84AB99269B93F7EA1673450CB53D516EE4638AE1FC71317
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b5b1f83525d80662248e101459354a7f.exe

Verdict:

Malicious activity

Analysis date:

2021-11-03 20:23:00 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/29d357e6-7cb3-4284-b574-c461f5cdd24f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/202065/

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6182ee7f1c62c3566081964d/reports/f14e2991-13be-47a9-b07f-c5e5ace60699/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/da671417-a3d8-4e1d-9098-fbbf794c46f8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/882605

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e64d7c3c2fc7e7b55352165b23986bf8fde895b989c7c9a8480130666a546bf/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-11-03 10:54:38 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hzsnpq6c7r7hwvjvefs3eomgx6h55ck3tcohzgueqajqmzvfi27q._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udptest discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211103-y3acracael/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.56.146.64:65441

Unpacked files

SH256 hash:

e1ae7e2b33b3dc036f12fac7f372134090935de29d453fdc0c838db5288340ab

MD5 hash:

c1108718dcfb2b7a752e2c4c1e27659d

SHA1 hash:

59c7c4ca474af49a7fc77e58da554f02f9d68191

Link:

https://www.unpac.me/results/dfda267a-a2a6-4bd5-98b4-148b516c2290/

SH256 hash:

b602a2710845fe08f9c0b53c053ddc834e25b3e4cd36e6162ffed3a028346044

MD5 hash:

b4bfd945fe4a51c1a6f4aafa964aea7d

SHA1 hash:

5207263194c4902eb2dee4c2659a1af725057699

Link:

https://www.unpac.me/results/dfda267a-a2a6-4bd5-98b4-148b516c2290/

SH256 hash:

a3016b6e5863c9b51ef7616c7bb720c2a2dc4b4ff545af47aabc8ad82b5dc45c

MD5 hash:

988bab2529a6b385e407ba8ef050dc51

SHA1 hash:

3851cb15de623f44d62581e970ab183d8ed4769c

Link:

https://www.unpac.me/results/dfda267a-a2a6-4bd5-98b4-148b516c2290/

SH256 hash:

3e64d7c3c2fc7e7b55352165b23986bf8fde895b989c7c9a8480130666a546bf

MD5 hash:

b5b1f83525d80662248e101459354a7f

SHA1 hash:

c0aa6c0eaaee32131fbec95897bc5022d7deb71a

Link:

https://www.unpac.me/results/dfda267a-a2a6-4bd5-98b4-148b516c2290/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3e64d7c3c2fc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e64d7c3c2fc7e7b55352165b23986bf8fde895b989c7c9a8480130666a546bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.