MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f4a6504fe8dc05ff75fe4a3bdf27eb509b2431ebaf4e189c23b9297ea300f19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	3f4a6504fe8dc05ff75fe4a3bdf27eb509b2431ebaf4e189c23b9297ea300f19
SHA3-384 hash:	24fc47a85e248325d8bb42d6e95b2e020cd9e3a57e1ddda0a23d9527d3fdbeccb28b1aa3853860fe8fa7b2c6f722bdc6
SHA1 hash:	66d7883449483a44232053f77ed1701c3c3ac9e3
MD5 hash:	6a42e481e8c2f649a854b08cdaf73be4
humanhash:	wisconsin-johnny-saturn-december
File name:	Setup.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'339'640 bytes
First seen:	2021-07-26 20:08:45 UTC
Last seen:	2021-07-26 20:44:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	98304:IKrcrWU7bkmj4KpnQpzzAtXyH9mD58loeXvsWu3ofBiSOq:IvrWU7bkUpnWzU4Y8llXqofBiJq
Threatray	2'546 similar samples on MalwareBazaar
TLSH	T1EBF5335188A2AE65CA0B563980FAC50D2F4D74458D60CBE1F8A566F8EF43937B37C7B0
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Setup.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-26 20:10:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f90980f6-0b33-4c48-b5c4-b60a89b99bf6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/174202/

Detection(s):

SecuriteInfo.com.Variant.Razy.897488.31501.5039.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Launching a service

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Sending an HTTP GET request to an infection source

Creating a file in the %AppData% directory

Launching a process

Creating a file in the Windows subdirectories

Connection attempt to an infection source

Stealing user critical data

Query of malicious DNS domain

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/67fcc886-cc30-4948-ad7c-3539cb1733ec

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821991

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Hides threads from debuggers

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Potential time zone aware malware

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Infostealer.Reline

Status:

Malicious

First seen:

2021-07-26 20:09:05 UTC

AV detection:

10 of 46 (21.74%)

Threat level:

5/5

Verdict:

unknown

RedLineStealer

2e5c841497c4beb1aa615b1ae401e099af9e7134f021d67a15700f1e8a18c543

RedLineStealer

41c2bbd61ad11d1fd1e1c8771edd92d1ab5df475c65764c2c5153f6afef84894

RedLineStealer

46b808244406eaac6aaaec7440ee63fba5e0c7b51bc40a49e0db3f17586d0c34

RedLineStealer

752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957

RedLineStealer

9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588

RedLineStealer

9fefa41ed2d1032a787fbe2c1d8f1f4d3d93c717b4ab7aef6de94d50012b113c

RedLineStealer

a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2

RedLineStealer

c74725fe1e3f3681bc7033ce7694b98075d395c06ba22989216d4288db559e85

RedLineStealer

e5a666bc9d8b7c4a483d8a9204919dc454bca394cd22ac150aaf18bbb80b0b89

RedLineStealer

+ 2'536 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/210726-qfjk9rk91e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/1e31d4f5-90c4-408d-b5c0-e8c8dd1509ff/

SH256 hash:

3f4a6504fe8dc05ff75fe4a3bdf27eb509b2431ebaf4e189c23b9297ea300f19

MD5 hash:

6a42e481e8c2f649a854b08cdaf73be4

SHA1 hash:

66d7883449483a44232053f77ed1701c3c3ac9e3

Link:

https://www.unpac.me/results/1e31d4f5-90c4-408d-b5c0-e8c8dd1509ff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/3f4a6504fe8dc05ff75fe4a3bdf27eb509b2431ebaf4e189c23b9297ea300f19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/174202/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample