MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ed09132d1da26eca39b4584e8207eefc332670ff897f2e933a46c0ac98ba926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ed09132d1da26eca39b4584e8207eefc332670ff897f2e933a46c0ac98ba926
SHA3-384 hash: 5c976faa44a9d2daaa9579a35e097139e14162be9713d2596cda392006064192cc7d5576656b234234e6a40b896fe296
SHA1 hash: e663d99c1434cf079854f382ce11254cb33c908e
MD5 hash: 1080b82a1ff4cbec291ae3f211c329cf
humanhash: mirror-nuts-victor-eighteen
File name:1080b82a1ff4cbec291ae3f211c329cf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:981'592 bytes
First seen:2022-03-29 02:47:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61ffae010ce8fc804af04adc26c6c926 (2 x RedLineStealer)
ssdeep 12288:eJBVqnNu7e4IOlQg4VzpJ6ZnKJMvGUFqhyyNYv8tBch+:eJBkNSBIQQg4VFgZKH71Sv8s+
Threatray 954 similar samples on MalwareBazaar
TLSH T10A25BD8280870D50D8241F74A225A93996AFAFFB3E35E1C69DDAFC7777B31A05170836
File icon (PE):PE icon
dhash icon 40b069e969693040 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:ElectronicArt Birmingem EN
Issuer:ElectronicArt Birmingem EN
Algorithm:sha1WithRSAEncryption
Valid from:2022-03-27T22:05:32Z
Valid to:2032-03-28T22:05:32Z
Serial number: 7b90164ebb3f0c8b42d5c7b02b69a487
Thumbprint Algorithm:SHA256
Thumbprint: fb9a452a66af6186038ecf3fae357d0a1b7e3ee9ad15441e762a2aa0199653ce
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RedLineStealer C2:
185.45.192.228:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.45.192.228:80 https://threatfox.abuse.ch/ioc/460088/

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://mastercracked.com/auslogics-boostspeed-premium-crack/
Verdict:
Malicious activity
Analysis date:
2022-03-29 04:12:47 UTC
Tags:
trojan autoit loader evasion rat redline stealer opendir asyncrat
Link:
https://app.any.run/tasks/77c7d1e6-48e1-4846-954d-a8083111e735

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/258844/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624273639253b276b796bc54/reports/fd173d92-04c6-42f3-a706-75bf237db004/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72ddc5d0-52f7-4c71-994a-cb5132221f2f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966309
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ed09132d1da26eca39b4584e8207eefc332670ff897f2e933a46c0ac98ba926/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-28 22:45:11 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3ijcmwr3itozi43iwcoqid657btezyp7cl7f2jturwavsmlveta._file
Verdict:
suspicious
Similar samples:
200bc3c5b9588f58fefa31e631b7269ce47650280dfc02d6ad0cc6cb9a30ca56
RedLineStealer
71995b00a1177346060d8ec4dbc8fca6839be511cfd7896c583b4bd8b1a37923
RedLineStealer
99bf05da1be178fe731b05f86f0d95f4816a25bdf273fc1e6f0f6268dd8ae9dc
RedLineStealer
a93ca939d8b87bb722babba5e9b0855031a9cbba96525cd3df2c70dc3b106b0d
RedLineStealer
c4dea5508ce6f00cc43eb9d2bfe55c7d79026aee8f414787699a4983f226ccf7
RedLineStealer
e280ab8b2b76bc9a381aa8a3a8b26daa1f41725b714262c1f263a35ff5a0b7c9
RedLineStealer
e390d009707449faccaefe84265b761b0b7081569627b32b7a9931aec0142191
RedLineStealer
e91f6073dd124d2cdb193022e9c48ee468ec33f8fd1df6b1dedd4f3f58045400
RedLineStealer
+ 944 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220329-dafc3sefej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
973e1acf6bb66a393249078c1c8ae6752cfd0b814f6650cd6c61fdc61900c19d
MD5 hash:
30b2b44ffeeaadcef98cf61fe8f61747
SHA1 hash:
99ecabd9e4fdd46c4ea8c3d761cd11768175899e
Link:
https://www.unpac.me/results/43aa35e1-eb23-4dfc-b339-619749404314/
SH256 hash:
3ed09132d1da26eca39b4584e8207eefc332670ff897f2e933a46c0ac98ba926
MD5 hash:
1080b82a1ff4cbec291ae3f211c329cf
SHA1 hash:
e663d99c1434cf079854f382ce11254cb33c908e
Link:
https://www.unpac.me/results/43aa35e1-eb23-4dfc-b339-619749404314/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3ed09132d1da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ed09132d1da26eca39b4584e8207eefc332670ff897f2e933a46c0ac98ba926

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3ed09132d1da26eca39b4584e8207eefc332670ff897f2e933a46c0ac98ba926

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2117679/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/258844/

Comments