MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2
SHA3-384 hash:	7adf64282f26d38d750493e886cd2a69b54bbfe8d5b42ef509f24fcc73c0ab100a724048f1c2832354a43efe865b57fb
SHA1 hash:	823aa91b6e4ecf3bb68a2154a122e6a9ffc7bf89
MD5 hash:	8b5cf3d102548da37888f34d3d468e27
humanhash:	oven-apart-asparagus-monkey
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	744'960 bytes
First seen:	2024-01-25 18:59:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	12288:mh1Fk70TnvjcXHKkdNTYkpfxQmclBuFTEAtvqsuIGnyd30w4KA9LdX+/UwS0iSbq:Ak70Trc31dNckBxQmUBuFTEAtCsuI9d8
TLSH	T11DF412307181C1B6C4B6113849D5CA369E3A74710F7AA6DBBBDC2BB9AE113E173351CA
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Bitsight
Tags:	exe RedLineStealer

Bitsight

url: http://109.107.182.3/lego/MRK.exe

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f.exe

Verdict:

Malicious activity

Analysis date:

2024-01-26 06:13:33 UTC

Tags:

amadey botnet stealer loader redline risepro fabookie evasion

Link:

https://app.any.run/tasks/5f8999f3-a417-4b1b-b748-629f259dcee5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/472939/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

DNS request

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint packed

Link:

https://www.filescan.io/uploads/65b2afb6fc0458d7ffdb2c97/reports/cb7fb54a-8611-4a41-8b30-c3176b08f1d0/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0190054e-e347-44f8-b83f-6c93a5073b66

Result

Threat name:

LummaC, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1381320

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h2hb5lusij6alu3lxrtfoijyfl2zoj4a4ct42rhdh5rwqsy46pra._file

Verdict:

malicious

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma stealer

Link:

https://tria.ge/reports/240125-xnmh4aebcm/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

.NET Reactor proctector

Lumma Stealer

Malware Config

C2 Extraction:

https://willpoweragreebokkskiew.site/api
https://braidfadefriendklypk.site/api

Unpacked files

SH256 hash:

d6aee343e6beeb2a48cec2ad871c3e4b8391d67f6c1f8b573ffaa00db559b6b9

MD5 hash:

082985cc2f648e2a6c3181e3329fc8ea

SHA1 hash:

ef8791ce85246ff57ef2aa0e66d6e84ee440e26c

Link:

https://www.unpac.me/results/b551f747-bb0e-4502-a7c7-211ff7e5cfc4/

SH256 hash:

e9852968d46626970f996de8a528a0dfab3b8b0c3c8e15076c72d02b24f5cccd

MD5 hash:

a474f5c809bb1df5bb95e9ae2ff38e53

SHA1 hash:

9b80de4029a5b271018a138851b712405937004d

Detections:

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/b551f747-bb0e-4502-a7c7-211ff7e5cfc4/

SH256 hash:

0da5e97da72dd51c244f04aebd0ff0f388907609a1adf9e186c608918360d334

MD5 hash:

45ae2cb99a05ac48e7b3c5265b452a06

SHA1 hash:

6d630b298d1fdd995415ea5912decb91a50bd454

Detections:

INDICATOR_EXE_Packed_DotNetReactor

RedLine_Campaign_June2021

Link:

https://www.unpac.me/results/b551f747-bb0e-4502-a7c7-211ff7e5cfc4/

SH256 hash:

3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2

MD5 hash:

8b5cf3d102548da37888f34d3d468e27

SHA1 hash:

823aa91b6e4ecf3bb68a2154a122e6a9ffc7bf89

Detections:

MAL_Malware_Imphash_Mar23_1

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/b551f747-bb0e-4502-a7c7-211ff7e5cfc4/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3e8e1eae9242/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/