MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6bb851ae135d222a88a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6bb851ae135d222a88a1
SHA3-384 hash:	1a0cfe1ce4c7b862ccdff521ef8953938c07035178e101511c236816b8f5a9684e34c303b4bb9f150908efd206c39b04
SHA1 hash:	bbc5ecbe78040246bf45fb0ddc800920e3027236
MD5 hash:	1588eeed112f7a75a0f7dfe628480302
humanhash:	echo-arkansas-winner-mockingbird
File name:	3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	434'688 bytes
First seen:	2021-06-23 14:35:51 UTC
Last seen:	2021-06-23 15:44:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c5f88ba6771d8ff33e7b31b259b694f4 (1 x RedLineStealer, 1 x Formbook)
ssdeep	12288:2gOcG3C7vaCBvFRuHwTM5tLLf8pSrvioRe:2eG3C7vFvWr5tLLMWxe
Threatray	2'789 similar samples on MalwareBazaar
TLSH	EF949D10A6A0C035F1F756F89A76D3ADA52E7D615B2050CF22E5EAEE06347E1EC3131B
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.50:43919

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.50:43919	https://threatfox.abuse.ch/ioc/150120/

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6.exe

Verdict:

Malicious activity

Analysis date:

2021-06-23 14:40:29 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/c692815a-7034-49a2-b3f5-17af7e607932

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.11702.18048.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2045f1f3-845c-411b-9690-dab5b65bcdbe

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/806653

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6bb851ae135d222a88a1/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-06-23 14:36:19 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h3zagg72chk5ggczrhta3d7tk2bddr4gfd7wxocrvyjv2irkrcqq._file

Verdict:

malicious

RedLineStealer

1467dbcc4b504ab94baaa6bf9dbb59dbddc3ea61a86452b61760cf6f50417364

RedLineStealer

32fae971a0e5dac6c60827e5376a689d65832e56181f96dab9b0d15c606d0ed9

RedLineStealer

34c3d185dc61472fccfc4b49d646ccca9d057596dc8947e62773ca63205ef67b

RedLineStealer

381f46ccd38428d37da5ef3930b7b43dacfcebaad1d9e57b997d0f6af89fdef3

RedLineStealer

4955fdfd3badd730cd26c71a8804d57a38310b8cd1981397c00db1ea24e14507

RedLineStealer

69c0a77de39fbf7cc3dfcdd29ba803f0aec498175091594c12a3341e05e32914

RedLineStealer

70dc7440d18c157ae5d3728dae25de4e96ecae566c2840afa611c1ab8e4225a9

RedLineStealer

b6ddaf7b356ff21ae461672f44f87944e5b5879b7442d50b545909a6fdc0e180

RedLineStealer

e87c87c4a26902bc8bbd9993162a98bfb67bb20f9b06cfc0084f5301bec9b816

RedLineStealer

+ 2'779 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210623-rac1qqa3vx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

BzETRSkOAx06J1EcBzE5ASswC1M6MChRBzEfSQ==

Unpacked files

SH256 hash:

6e9c04cc26e7a5f49005e80a711281f4f8ea79c046217aa1d08110c00c13730b

MD5 hash:

3876eac9f607f235703e5d5fe1e1f468

SHA1 hash:

757c9e609bf4609ced7a6f633d1c564cb59f1b49

Link:

https://www.unpac.me/results/1ef6dfa5-e625-4ec9-bfcf-2d12787a4815/

SH256 hash:

0bf73608af671effd0151acc6293c66d469878b618d420ce19433efa279a358c

MD5 hash:

8dd54020eb70d4a4d9c059b60c8742e8

SHA1 hash:

4ed7461e6c84472d157015e2da3fd00c7bf62b58

Link:

https://www.unpac.me/results/1ef6dfa5-e625-4ec9-bfcf-2d12787a4815/

SH256 hash:

13429c9c88e5f8561e5e17c8170a60f5a5cb623653136243608a7cfff026278c

MD5 hash:

0fe44b6fd48d7d9889bdb06fc6935918

SHA1 hash:

1df7f6393b4a04865d88bfeafeb4d75c032e7ed3

Link:

https://www.unpac.me/results/1ef6dfa5-e625-4ec9-bfcf-2d12787a4815/

SH256 hash:

3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6bb851ae135d222a88a1

MD5 hash:

1588eeed112f7a75a0f7dfe628480302

SHA1 hash:

bbc5ecbe78040246bf45fb0ddc800920e3027236

Link:

https://www.unpac.me/results/1ef6dfa5-e625-4ec9-bfcf-2d12787a4815/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ef2031bfa11d5d3185989e60d8ff3568231c78628ff6bb851ae135d222a88a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample