MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41
SHA3-384 hash:	b8bc58fd663d652816bf27d23ae3c6f68dcf0df1073645e2af1eb61b6ed9f84d4de5ff653af09646096025b88e245d1d
SHA1 hash:	a903b0f795f6ec6dc0ad321c697e471b231d5911
MD5 hash:	6d01090dbf303054562cc54a4612a5a8
humanhash:	princess-solar-papa-violet
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	390'656 bytes
First seen:	2023-03-25 10:38:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5af9ea01b72d4cd2cd1c769eba9711ae (10 x RedLineStealer, 1 x CoinMiner, 1 x Rhadamanthys)
ssdeep	6144:Bnf56xdM+m5WXicC/Dj2g6wezpkw2oBB7RBnLOg5t5/nCsTfm:Bnf56xm+Z0D/BdMJNt5/nCqm
Threatray	50 similar samples on MalwareBazaar
TLSH	T1F084BE1252A16830E76386328F2AC7F42E5EF8615E157BFE02589B3F2971FB3D162705
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	008884221b211540 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://194.110.203.101/puta/nsoftwinx64.exe

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-25 10:38:49 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/b9f2c5e5-9813-4ed0-b7c7-b208857bef8e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/377360/

Detection(s):

Win.Dropper.Tofsee-9994349-0

Win.Dropper.Glupteba-9994356-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/641ecf488f3f4544f6cbf73a/reports/80eff177-bd67-4fe8-82d9-30c5f87f5da9/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4e99d9f0-86d6-4d5b-86c1-06943af260d4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1201814

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-03-25 10:39:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h34ueec7mh2ozmge376o2nsobtj4nok6sgcqctdlkqsrw7gzbjaq._file

Verdict:

malicious

RedLineStealer

8cd2e380a79b34d7993448cdbd73eb2474230de4297aa5239513504011d89933

RedLineStealer

8e9ee5687cfa20820065d0cde137b74a969a99cccdb7aea81aefc3a979221c62

RedLineStealer

9bc7821632e1a1131405446d0867d157b59e0028b077f382e3f0132618c9887e

RedLineStealer

9f2727bdfd763219f83abb84822108c63dbb410ba13be238292c620eb9f5db9f

RedLineStealer

c5f37ddafa3535a6a3b76acc5c6509b5381012e5d126c2981cec46a272409e3a

RedLineStealer

+ 40 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@germany discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230325-mpyyeacc64/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

185.11.61.125:22344

Unpacked files

SH256 hash:

6795dbb5efc32fb90da0deb66b9b9f79bca2b9c04ba85e11b99c1486e24dfa98

MD5 hash:

ea0399f40f9700d5b1ed80130ccd44cb

SHA1 hash:

e7d6a471e9e45918e8662edfa6a6325bd6daedf5

Link:

https://www.unpac.me/results/316076fa-66e2-44da-990f-e26b6980b7a9/

SH256 hash:

933bf82c604fd7c120a0a917b911fad8bc85f511145ca69154cc37117a6cb622

MD5 hash:

a7e517d69251dfc2f8376b71eb0d8403

SHA1 hash:

bb9268ac5ec3cd12a1c37e01e40f34f9d91fab9b

Detections:

redline

Link:

https://www.unpac.me/results/316076fa-66e2-44da-990f-e26b6980b7a9/

Parent samples :

c5f37ddafa3535a6a3b76acc5c6509b5381012e5d126c2981cec46a272409e3a
96e778e9fe65225a131f9e3c2c05c44a5ceec6549812beff030460641aea6500
14e2872ba87811b677432d96bdd0ec42ca09d014275b6b4db3c2b6ba6e58bfce
42a1e87ed506cc9fa90b736df7bcbcc1a43e552b5e8054f72701e3862e925980
ec22c58ee58853b9c8093a4fc48505c00ca3da534edd942dc90615263a7a8c16
ff09a98f202feb3424cbc314292bc0ebf41e307acab47156944e16f5899435fc
9bf48636ddcbaa03296da875de882a900beff608d06f08b39e813f54fb976729
441f41b5d71d87e71c52db1ec1313b3d1eced25e9eebb3b6d83eb2a97a5cacd8
a880f1cd895d5f8b156b4c95f4972fe6a373105e7e17ac184ac0db4826eac86d
8cd2e380a79b34d7993448cdbd73eb2474230de4297aa5239513504011d89933
9f2727bdfd763219f83abb84822108c63dbb410ba13be238292c620eb9f5db9f
fd27a0d8a325e152b38c31c9d66102e6356b4c7773740e509e03917f88543b5e
1451488667d13af22f9c499d4763d6a5551d31b7f62c91fc698abcf33741b5ff
15f497477ed80181c3edbbee767fd29efb2277f07785e4d2f0010fea93625edf
4d2ca20f77551de7bc6a5788de5252b3d1c3efe011e7f329e873d01a7eb339b5
3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41
32dbd91f9642c3153a9d55db5c8d86901fa9c125f1ddee401ab07e564b08656a
03f2e96515c17572eb1d3e0eeeea7ab30e2816096161ec3956c953b6a2882c57
4ef2f1fb1007b2089f04b2ba7b36552d0b93c1dcd92854231dcaf1780c1785c4

SH256 hash:

0a354633ad8f70d2b069fde958c1f0e7ca37b6539347b0c7f4117be331b99e51

MD5 hash:

37d310169cbf1c089ec3f2ee44937c86

SHA1 hash:

191c9143818bf21347115bd87bcfe53c05fd324b

Detections:

redline

Link:

https://www.unpac.me/results/316076fa-66e2-44da-990f-e26b6980b7a9/

Parent samples :

c5f37ddafa3535a6a3b76acc5c6509b5381012e5d126c2981cec46a272409e3a
9bc7821632e1a1131405446d0867d157b59e0028b077f382e3f0132618c9887e
96e778e9fe65225a131f9e3c2c05c44a5ceec6549812beff030460641aea6500
14e2872ba87811b677432d96bdd0ec42ca09d014275b6b4db3c2b6ba6e58bfce
00c7453735b92b52a229aa1b4b5d7c2f61ca5aeb44ac7e9f7a93476cb3f7b064
42a1e87ed506cc9fa90b736df7bcbcc1a43e552b5e8054f72701e3862e925980
57aa83c1093b146313786986b0e1b712ea2a53f0d0c95e1125df1313c0c9bba3
a9979989b6709a7c8c0d588adc4a70f16145a77980288235f3bf31c2daebc877
8a78beb7278acda21f84745e779fe1f2372e6e5e9988dda4348a29b227001b49
ec22c58ee58853b9c8093a4fc48505c00ca3da534edd942dc90615263a7a8c16
ff09a98f202feb3424cbc314292bc0ebf41e307acab47156944e16f5899435fc
6b5f42c5333f844eab55e395ab585f8c298f70e52680947b9e58b4aae888291f
9bf48636ddcbaa03296da875de882a900beff608d06f08b39e813f54fb976729
441f41b5d71d87e71c52db1ec1313b3d1eced25e9eebb3b6d83eb2a97a5cacd8
a880f1cd895d5f8b156b4c95f4972fe6a373105e7e17ac184ac0db4826eac86d
8cd2e380a79b34d7993448cdbd73eb2474230de4297aa5239513504011d89933
9f2727bdfd763219f83abb84822108c63dbb410ba13be238292c620eb9f5db9f
184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09
fd27a0d8a325e152b38c31c9d66102e6356b4c7773740e509e03917f88543b5e
de0deb264fa6ae49e89815bad5a063b8636f06b994dd1ea1612b51408ba98b92
1451488667d13af22f9c499d4763d6a5551d31b7f62c91fc698abcf33741b5ff
15f497477ed80181c3edbbee767fd29efb2277f07785e4d2f0010fea93625edf
4d2ca20f77551de7bc6a5788de5252b3d1c3efe011e7f329e873d01a7eb339b5
3de48fc5f0343ae45da8b32c924551074c812894f9f090d9db44f290a5338720
0186553120f556687cc3178395c9d30f5f7536930c29060bdcee47dd34e0adc1
7729dddee47a8d00dbd8be1c07fde55bcbf8e0adf6b60b9cc4b78122cb0980ac
da26a56611511239d248f1f07c85c141a505593f1f3e36b6023a28af62a039cf
8e9ee5687cfa20820065d0cde137b74a969a99cccdb7aea81aefc3a979221c62
3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41
3f60fa0671189c1be251ef5a698892b8209c413bfe89b042705b5397214065d0
32dbd91f9642c3153a9d55db5c8d86901fa9c125f1ddee401ab07e564b08656a
d68ba5d832b6dd7257751c3247c32b9f98d7632c1eefa4953eafc6188fb92520
341d969482b09341b19823051659471bc98499f48135c2146387edf9d10c496d
c49f3c06de85718a2636796dbf5bc42aa2dbdb61c25c9f50aded7b0d7750f096
1079b345363b9f3b668760a5841521d86a479ec81f0cdb33a90e78a56b71eff8
03f2e96515c17572eb1d3e0eeeea7ab30e2816096161ec3956c953b6a2882c57
4ef2f1fb1007b2089f04b2ba7b36552d0b93c1dcd92854231dcaf1780c1785c4

SH256 hash:

3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41

MD5 hash:

6d01090dbf303054562cc54a4612a5a8

SHA1 hash:

a903b0f795f6ec6dc0ad321c697e471b231d5911

Link:

https://www.unpac.me/results/316076fa-66e2-44da-990f-e26b6980b7a9/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3ef942105f61/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/377360/

URLhaus

https://urlhaus.abuse.ch/url/2550717/

URLhaus

https://urlhaus.abuse.ch/url/2403396/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample