MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3eee101d3dc8a6adfb1168bd543bcb2fe419959050878fa47e98cc9587697c26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3eee101d3dc8a6adfb1168bd543bcb2fe419959050878fa47e98cc9587697c26
SHA3-384 hash: 29bf3f701e52b7e25934d849415ce2f36d38e8b867941b80379a0d247527079ec7262b7c8e031c586682ea56dc0dd0bb
SHA1 hash: 93b46893135fae7e01952b028cc241b633e7acd1
MD5 hash: 93aee3058eabaf3a96decd736bd1bc97
humanhash: cat-purple-alpha-asparagus
File name:93aee3058eabaf3a96decd736bd1bc97.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:209'408 bytes
First seen:2021-03-26 07:55:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 3072:GDKW1LgppLRHMY0TBfJvjcTp5Xho5z4N25NzKkHiVAp/:GDKW1Lgbdl0TBBvjc/CaIzzKkHiVC
Threatray 508 similar samples on MalwareBazaar
TLSH 1424AE2171C0C1B3C4B7153444E6CB799A6A70710B7A96D7BB9D27BA6F203E1A3362CD
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://194.156.98.159:3214/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.156.98.159:3214/ https://threatfox.abuse.ch/ioc/5377/

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
93aee3058eabaf3a96decd736bd1bc97.exe
Verdict:
Malicious activity
Analysis date:
2021-03-26 07:57:41 UTC
Tags:
rat redline trojan evasion
Link:
https://app.any.run/tasks/9715dc44-59ee-47da-b7b0-004cbd7acbc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/caa606e3-3c54-4918-8bf1-4e4940b2f054
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/654718
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376294 Sample: 2sOfVsf40V.exe Startdate: 26/03/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 5 other signatures 2->52 7 2sOfVsf40V.exe 16 38 2->7         started        process3 dnsIp4 38 8.8.8.8 GOOGLEUS United States 7->38 40 172.67.75.172 CLOUDFLARENETUS United States 7->40 42 5 other IPs or domains 7->42 26 C:\Users\user\AppData\Local\...\swoooork.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\Temp\sork.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\2sOfVsf40V.exe.log, ASCII 7->30 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->56 58 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->58 12 swoooork.exe 3 7->12         started        15 sork.exe 14 2 7->15         started        18 iexplore.exe 2 84 7->18         started        file5 signatures6 process7 dnsIp8 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->60 62 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->62 64 Injects a PE file into a foreign processes 12->64 20 swoooork.exe 14 22 12->20         started        44 81.177.140.169 RTCOMM-ASRU Russian Federation 15->44 66 Multi AV Scanner detection for dropped file 15->66 24 iexplore.exe 34 18->24         started        signatures9 process10 dnsIp11 32 87.251.71.113 RMINJINERINGRU Russian Federation 20->32 34 104.26.13.31 CLOUDFLARENETUS United States 20->34 54 Tries to harvest and steal browser information (history, passwords, etc) 20->54 36 88.99.66.31 HETZNER-ASDE Germany 24->36 signatures12
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3eee101d3dc8a6adfb1168bd543bcb2fe419959050878fa47e98cc9587697c26/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 00:17:38 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3xbahj5zctk36yrnc6vio6lf7sbtfmqkcdy7jd6tdgjlb3jpqta._file
Verdict:
malicious
Similar samples:
07967e861e991eabea5649e7e6de840028a2b217d2a9f354315c9b8f25e34068
RedLineStealer
0af8d47a09b1f5ea9544e89eb83e8a572b8a78fcb28db74ee523da4b1797cd3e
RedLineStealer
1c0eb090ad769cdd943476e9300d57e553ad24f099408334b8c0370ee9bb7648
RedLineStealer
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
RedLineStealer
79afc9b39ba7fe7dd6ed282d39eb915bb47271d552177f62c6606b99901f9cd2
RedLineStealer
916df1aaac228a40f1981b539742aee6d0009fdce746f14eb646a7c70fa2cc4d
RedLineStealer
9a693191c99ec28e49e610cd89af5137fb077ad8b4d7452828dbabd055e65384
RedLineStealer
ceb9cf440fc521f09a503e90889acb7f51b4c39ce8a8c4d37dd8304fca2db4ce
RedLineStealer
d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad
RedLineStealer
f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92
RedLineStealer
+ 498 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer link pdf spyware stealer
Link:
https://tria.ge/reports/210326-14c6gt8sta/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
HTTP links in PDF interactive object
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
Unpacked files
SH256 hash:
ce9907c581a88e8d601f3b6f14b29400080b4a2af8854aac99771514bbe7a67d
MD5 hash:
67dae6ff6a9cc2f6a1153da61122c3d5
SHA1 hash:
cb69709e020a3efbc6be212543e7970ef0bf6b43
Link:
https://www.unpac.me/results/3662845e-f30d-4c3c-afe0-1e6824ff6c78/
SH256 hash:
c3df38856bf6f471f54a37c9e85e2866f03c39abad73f1c2fc5ae2e2c77a05ae
MD5 hash:
ad38f7bc812731df2965f4c3d6d98433
SHA1 hash:
b688cf354462d293c04e03fe99f421d6222dd33b
Link:
https://www.unpac.me/results/3662845e-f30d-4c3c-afe0-1e6824ff6c78/
SH256 hash:
3eee101d3dc8a6adfb1168bd543bcb2fe419959050878fa47e98cc9587697c26
MD5 hash:
93aee3058eabaf3a96decd736bd1bc97
SHA1 hash:
93b46893135fae7e01952b028cc241b633e7acd1
Link:
https://www.unpac.me/results/3662845e-f30d-4c3c-afe0-1e6824ff6c78/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3eee101d3dc8a6adfb1168bd543bcb2fe419959050878fa47e98cc9587697c26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3eee101d3dc8a6adfb1168bd543bcb2fe419959050878fa47e98cc9587697c26

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1011491/
  
Delivery method
Distributed via web download

Comments