MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7
SHA3-384 hash: c9eb39d3377804078888da31d409d483ec5a0d6eafc51659d62bba7ae5a9216372127c6708e443db35e06714f1f3dba1
SHA1 hash: 2164d3cbfaebd2a58adf3e1ad06ed5f6e4ead928
MD5 hash: 1043817d0d592f519cadf46caf36d1c6
humanhash: crazy-october-mango-solar
File name:FTXExchange.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'734'736 bytes
First seen:2022-11-12 12:38:37 UTC
Last seen:2022-11-12 14:59:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ee5612dffe4cd5c13fb65a3e987147a3 (3 x RedLineStealer, 1 x Formbook)
ssdeep 24576:6IuBu5SsFqHllFMco/TSBGIR3AwCctJqSXpnKycHVP5XUbme:6zBu5SsFUlFcbSAVwfZKL1REm
Threatray 6'167 similar samples on MalwareBazaar
TLSH T15B851233108ADDD3D32726B2126093ADAD949529A0B5016F83C76793EE7FE91C4F88DD
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0cce2603092c4e0 (2 x RedLineStealer)
Reporter Anonymous
Tags:exe RedLineStealer


Avatar
Anonymous
source: https://twitter.com/FTX_Wallet/status/1591294487959318528

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
AU AU
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
FTXExchange.exe
Verdict:
Malicious activity
Analysis date:
2022-11-12 12:37:20 UTC
Tags:
redline
Link:
https://app.any.run/tasks/5af17d69-5fab-40ba-bba7-38d0583b1a71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/332909/
Detection(s):
SecuriteInfo.com.Variant.Zusy.442219.11054.26968.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
DNS request
Launching a process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/636f93e882dd9f2e2653cbd7/reports/6ec945f6-2db3-4aa3-9da0-cbf51a021891/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c639868b-aeaa-447f-9f08-dad45bfa9c6e
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
27 / 100
Link:
https://www.joesandbox.com/analysis/1111841
Signature
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 12:39:11 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 41 (53.66%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7i6lesoysf3lk6geq6pcza6l4bshk3i2skolrasvayoixy6g3lq._file
Verdict:
malicious
Similar samples:
0b08ccb99298e3ae9d9ea3920dc7a5769e0c4c73c408a546ddc3262c1e66ab6f
RedLineStealer
6b6baec6f1e73d38262ea3ac6a91acb44bb64d30bd948c89f9b8d97979fbff61
RedLineStealer
7fcca1952873cca9b7877623fbcc72bfa6cd7f960f454ebc28f922ff52372883
RedLineStealer
84d591060643b514a861c526b56c0672d5cd8387508efaf5b4d9af0f10d542d5
RedLineStealer
b86d6ea3ce0dc5838b25832e447df16bebe6d3da489401bee5b6f565cebea5b7
RedLineStealer
ec3bbc81bbb832719fd3b0a569da1ada74b225b7a1d3bc1a707bcc4120476efc
RedLineStealer
+ 6'157 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ftx infostealer spyware
Link:
https://tria.ge/reports/221112-pvl7xafb86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
199.34.18.18:48587
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/08cce315-6c61-4ba9-b89b-0b725ac2fa98
Unpacked files
SH256 hash:
09d3b92298661321ffcaecc92f72ac6681b6ff7941364b95d8f4d9cb2051ca84
MD5 hash:
853c77c90e01f71905bbd3fbe9a1aef5
SHA1 hash:
05e67edc225cbc29625988bd782c51f5aa2cec94
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/02b48685-3d4b-454e-a5ee-23c1360ab910/
Parent samples :
3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7
24728f9f514057fd9e4c24dda9ded0dad0835928b965c5c8e9185a74fb276cb7
09d3b92298661321ffcaecc92f72ac6681b6ff7941364b95d8f4d9cb2051ca84
SH256 hash:
d5fd3dc51012b4bff7c4174f4c67c46ad50865cc6793a8441a7e1ece8d0de484
MD5 hash:
8eae12af87fe3a7dcc84a40ae917939b
SHA1 hash:
0724c57c8b6422c7134e5bfd1da9729fdde30809
Link:
https://www.unpac.me/results/02b48685-3d4b-454e-a5ee-23c1360ab910/
SH256 hash:
3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7
MD5 hash:
1043817d0d592f519cadf46caf36d1c6
SHA1 hash:
2164d3cbfaebd2a58adf3e1ad06ed5f6e4ead928
Link:
https://www.unpac.me/results/02b48685-3d4b-454e-a5ee-23c1360ab910/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fd1e5924ec48bb5abc6243cf1641e5f0323ab68d494e5c412a830e45f1e36d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/332909/

Comments