MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f2ac5e2b182544300f6bd36a6f35a0ab6972c46c1d8a783d23d4eaa247c0f48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	3f2ac5e2b182544300f6bd36a6f35a0ab6972c46c1d8a783d23d4eaa247c0f48
SHA3-384 hash:	e8598eb521cd3a80d1514ae3e43ca8fb4e76755c3a54bf5cadc07647a0aa6d80272c54400b1b496e812840889afd234d
SHA1 hash:	abd64f524ce6c055fe3016c4f1a1f44dba30729f
MD5 hash:	a9cb6eeacb2eafefbb7fc202401fe7c6
humanhash:	black-leopard-lamp-berlin
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'165'824 bytes
First seen:	2023-10-26 19:12:24 UTC
Last seen:	2023-10-27 11:05:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f030c1fd78181b976a79f24c5afc47f8 (4 x RedLineStealer, 3 x RecordBreaker, 1 x Amadey)
ssdeep	24576:/SOKs3Gv5W1TxGQcQkgYYzHpzUcah94OLw:/GBWTxGQcQ5YYeLhKO
Threatray	1'852 similar samples on MalwareBazaar
TLSH	T1F5459E717884D1B3DED224B6479CBA7582BDE0E0670A02CB06F9E7DEDE101D72A3574A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc825067038_675120414?hash=ofV8tZWtQDknSObErFUq2rnV3Esz6p3eJRLOo5yZ3Bg&dl=3JL9LytHzeNyclBz9CDzoiw11Ovw4rTGzbKz11MEPvw&api=1&no_preview=1#1

Intelligence

File Origin

# of uploads :

# of downloads :

387

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/456600/

Detection(s):

Win.Packed.Pwsx-10012424-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Sending a custom TCP request

Creating a window

Connecting to a non-recommended domain

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/653aba3e34de31f579cba49e/reports/c6815fc3-e536-49e2-b832-f372269723d3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/3f2ac5e2b182544300f6bd36a6f35a0ab6972c46c1d8a783d23d4eaa247c0f48

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/def5a784-30fd-45a5-bcee-c93255952894

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1332912

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3f2ac5e2b182544300f6bd36a6f35a0ab6972c46c1d8a783d23d4eaa247c0f48

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/3f2ac5e2b182544300f6bd36a6f35a0ab6972c46c1d8a783d23d4eaa247c0f48/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-10-26 19:13:05 UTC

File Type:

PE (Exe)

AV detection:

18 of 22 (81.82%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h4vmlyvrqjkegahwxu3kn422bk3jolcgyhmkpa6shvhkujd4b5ea._file

Verdict:

malicious

RedLineStealer

552da442720d14329715eec59889e6ff52a3208ebc1adc51f6fc6027ff556c77

RedLineStealer

64263a4ed1a6432b06bc1729d818182081babbe97f02fd6f61f2d09e3e657dc0

RedLineStealer

9db10dca22b6e4b610d74316f7a94f758d32f077666c0b775e9f0f13234f30ff

RedLineStealer

a3738bb20fad0a7d07afc9fa0b666b10351da248ffc10d3f983282d27c8aacc1

RedLineStealer

a577b136f9102cec22df618b02c20adebf43bd506885c8a86caf283dfbe5b373

RedLineStealer

a86d6cd6cba4a3dce4ad3fa2948f623831b181714dd945bbdde831f39229412d

RedLineStealer

c2a8183fc1a1d26a3e4f1116ce52abace67d9e30a29b6be1703ff355102eb05c

RedLineStealer

cdd2732dab9b93cef835ca681538205972a178fec406812be33889a4aa28b4d4

RedLineStealer

cfbd24a3ff45eb3d630bbe3fa9d8db4fc6c4e78da702a3e5f1aec08973b60c2a

RedLineStealer

+ 1'842 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer spyware

Link:

https://tria.ge/reports/231026-xw2yragc95/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

194.169.175.234:27221

Unpacked files

SH256 hash:

4fe8b707cde90693d192031ca1b286ce620117ea89d32284c30df2f4fcab5588

MD5 hash:

f3861bd39a832406c030ef97bc69c301

SHA1 hash:

1383f73c074e4d616d33a666580963d2cf4dbd11

Detections:

redline

Link:

https://www.unpac.me/results/29897269-9894-4b2b-bfc8-f6ddfb2055b4/

Parent samples :

3f2ac5e2b182544300f6bd36a6f35a0ab6972c46c1d8a783d23d4eaa247c0f48
c5b6f1fb4284c8e7941d48becf370434bd2fc306b116399b26752fc834e4dafe
29fde91446fa3c1026fa8ab4fd1a1dbe218318166d3e236fce9dfdc7f527d949
47e21ddc3a9c6ba14d207bd23cd5dd155df00f3952f9e25c3f962b944bf89288

SH256 hash:

3f2ac5e2b182544300f6bd36a6f35a0ab6972c46c1d8a783d23d4eaa247c0f48

MD5 hash:

a9cb6eeacb2eafefbb7fc202401fe7c6

SHA1 hash:

abd64f524ce6c055fe3016c4f1a1f44dba30729f

Link:

https://www.unpac.me/results/29897269-9894-4b2b-bfc8-f6ddfb2055b4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3f2ac5e2b182/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3f2ac5e2b182544300f6bd36a6f35a0ab6972c46c1d8a783d23d4eaa247c0f48

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/456600/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample