MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 4

Intelligence 4 IOCs 1 YARA 4 File information Comments

SHA256 hash:	54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f
SHA3-384 hash:	5fe95dbf53d5320dff9455d073738c363946c8edc4e6b2d1a428d830035f08bc215d84e64ff575d497e1b973388ffea3
SHA1 hash:	d023074d20d8e291e96e9db750a15c41f497e05c
MD5 hash:	8b3ffcae0ff6eace561dd374813ff489
humanhash:	lake-hot-spaghetti-quebec
File name:	Pure Land Metaverse Alpha.rar
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	14'162'206 bytes
First seen:	2023-03-07 21:29:05 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
Note:	This file is a password protected archive. The password is: pureland2023
ssdeep	393216:X/8KfHxviZbK2cifnJ6ihRd6qFcSVtx/q40/LRjSMD:XzR92ciBDgwqoMD
TLSH	T18DE63316F179227117019B2F1262F0867128388A48DE7A36F7E48A47C56F6FC87BBD47
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	iamdeadlyz
Tags:	162-55-188-117 exe file-pumped PureLand pw pureland2023 rar RedLineStealer

Iamdeadlyz

From thepureland.io (impersonation of Rune Teller - https://store.steampowered.com/app/1944360/Rune_Teller/)
Related incident: https://www.coindesk.com/business/2023/03/02/blockchain-game-the-sandbox-warns-of-phishing-email-after-security-breach/
RedLineStealer C&C: 162.55.188.117:48958

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
162.55.188.117:48958	https://threatfox.abuse.ch/ioc/1078699/

Intelligence

File Origin

# of uploads :

# of downloads :

357

Origin country :

n/a

File Archive Information

This file is a password protected archive. The password is: pureland2023

This file archive contains 23 file(s), sorted by their relevance:

File name:	sharedassets1.assets
File size:	410'084 bytes
SHA256 hash:	c0b7a9d84a1d2de6ee226213e6420ee18d033cb50935ed66e6d3252cad0b400c
MD5 hash:	276f7d9a54bf29fcd2dbc801bf6403a0
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	unity_builtin_extra
File size:	390'644 bytes
SHA256 hash:	b8cad02ee7e8ef68377ebab2b70fa2918420355b0cb29cf7a1b48e0515362bd4
MD5 hash:	e830b287acfc7046bd4ef777b9402e6d
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	globalgamemanagers
File size:	574'140 bytes
SHA256 hash:	ec3d38ed66bf3147355d33bc0cb1ca6a220f70c73c6cc192456287781a51970e
MD5 hash:	fa2f46837817d0ecea82ecfc22b321b2
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	UnityCrashHandler64.exe
File size:	1'232'984 bytes
SHA256 hash:	225827869340676dce8cee2ba8dc7e4007f93f5f28d2c922f33adb3a951f869a
MD5 hash:	141e6688c27c76994dc7821eaddefa3f
MIME type:	application/x-dosexec
Signature	RedLineStealer

File name:	sharedassets1.assets.resS
File size:	8'912'896 bytes
SHA256 hash:	2c6af803b29cd3be8abe70478edb7a2bf4c19a9b7422ef15c03915c0896eb461
MD5 hash:	cc69d0a6f715c050833a9d668c925e4b
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	sharedassets2.assets
File size:	200'244 bytes
SHA256 hash:	cfc36378816d022d04663926b6244b2e9bc00a0caf667cef57307113f8ee2fa0
MD5 hash:	de71b1a7bcdba02008f621738b0bdd6f
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	web.config
File size:	18'857 bytes
SHA256 hash:	15a2c7a9242bf54d3ccb3e07fa6d8f84ba8b303d8877243787a1103009941bdb
MD5 hash:	08101241b15b53ef0ab908f6d388881f
MIME type:	text/xml
Signature	RedLineStealer

File name:	config.xml
File size:	25'817 bytes
SHA256 hash:	0c56e34c69124510fa8c19e7b4c2ca6c1c4ff460ae19f798dd0ca035809e396d
MD5 hash:	f34b330f20dce1bdcce9058fca287099
MIME type:	text/xml
Signature	RedLineStealer

File name:	sharedassets0.assets
File size:	15'729'768 bytes
SHA256 hash:	23265757ef1824a3382b240023049b11e94b09eefce47e16e2b628f29bdfa93c
MD5 hash:	20ce4c7d175335aac3617bb160d8879c
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	settings.map
File size:	2'622 bytes
SHA256 hash:	ce1db1ad8a9512073164e3eccdc193f7eda036e1a9733caec4635de21b2865c8
MD5 hash:	ba17ade8a8e3ee221377534c8136f617
MIME type:	text/xml
Signature	RedLineStealer

File name:	sharedassets0.assets.resS
File size:	9'953'412 bytes
SHA256 hash:	ee83191343cd5a84b1ce9a6df55bc136ddc15c47f5c58f839f48ab776b24f6f7
MD5 hash:	5f685cd19f5d32407d28c2ef2efc0c85
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	config
File size:	3'276 bytes
SHA256 hash:	60099cf91bb1a5717fc1f2d23cf36a61d3bfb70d9489fbb6f4bae98c560bf3d5
MD5 hash:	d9bc824737177af5792846f26507231c
MIME type:	text/plain
Signature	RedLineStealer

File name:	app.info
File size:	41 bytes
SHA256 hash:	d95ab3a0e1a848fed8627741c70a20cde5c5b05df76136bbc5bb447419a44486
MD5 hash:	8422f6bbb1de88f818425091c7d11f90
MIME type:	text/plain
Signature	RedLineStealer

File name:	ScriptingAssemblies.json
File size:	3'782 bytes
SHA256 hash:	342538798e6c47c31c92dc25cbe5ec95d6071f39e0a296862cef9ab20776eed4
MD5 hash:	ccf089f0bb570114f0ca7dc6b1378386
MIME type:	application/json
Signature	RedLineStealer

File name:	sharedassets0.resource
File size:	7'008 bytes
SHA256 hash:	0821af96ecfc09db99f843a57d12a395b6d9a2503f68fa547105dd70a0d7f24a
MD5 hash:	ccbfefdf750008d2065c4b633b55da8d
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	DefaultWsdlHelpGenerator.aspx
File size:	60'575 bytes
SHA256 hash:	751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a
MD5 hash:	f7be9f1841ff92f9d4040aed832e0c79
MIME type:	text/html
Signature	RedLineStealer

File name:	boot.config
File size:	69 bytes
SHA256 hash:	25202c8f0caa8139d220c1db829ac0445de52047059b03c920c7d145ddfeb4ba
MD5 hash:	2b77119d737c1c2caf66bc03e37efed2
MIME type:	text/plain
Signature	RedLineStealer

File name:	browscap.ini
File size:	311'984 bytes
SHA256 hash:	4ddd50f31fb968f30bedefc253a46dc3f2890192d05cdaa9e0a64a056eee807e
MD5 hash:	378be809df7d15aac75a175693e25fbb
MIME type:	text/plain
Signature	RedLineStealer

File name:	unity default resources
File size:	4'844'872 bytes
SHA256 hash:	458713a9e0aca9b787f40e355055a9e8f8193d0a203058b21164035fc573ad4a
MD5 hash:	45ca075a660921149eb37eaf028c14a0
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	Compat.browser
File size:	1'605 bytes
SHA256 hash:	8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741
MD5 hash:	0d831c1264b5b32a39fa347de368fe48
MIME type:	text/plain
Signature	RedLineStealer

File name:	sharedassets2.assets.resS
File size:	7'837'312 bytes
SHA256 hash:	ad971443cb9405a747351f955d80cb67c82a6055d3ee326c92b3785b9cb383ef
MD5 hash:	95b7d04093f91d954c5a063c0709a780
MIME type:	application/octet-stream
Signature	RedLineStealer

File name:	machine.config
File size:	34'106 bytes
SHA256 hash:	ef9b9387168fd1dd6c996f96c134d9c44f8eb06f9587004bf997252a520182d6
MD5 hash:	0869544722561f5aff0eefc83fc7b001
MIME type:	text/xml
Signature	RedLineStealer

File name:	Pure Land Launcher v1.4.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	688'249'296 bytes
SHA256 hash:	48680a6a919a53dfb5eb47a798a9d8135601179630e6308023f30e1f9b13301d
MD5 hash:	02de331d9164e72c10e3b217b2801d89
De-pumped file size:	374'784 bytes (Vs. original size of 688'249'296 bytes)
De-pumped SHA256 hash:	08ed972fb6d88ef000b2825e2818810b282507ec90dcc406fa5999f507a71fc8
De-pumped MD5 hash:	9e4d5fb4a69f85b267e595e3ac2565e3
MIME type:	application/x-dosexec
Signature	RedLineStealer

Vendor Threat Intelligence

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ktt7kv5drjhagtrswnxrgep6akepukws4gzegsxshjpa5rhynz7q._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

rar 54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f

(this sample)

48680a6a919a53dfb5eb47a798a9d8135601179630e6308023f30e1f9b13301d

Dropping

SHA256 48680a6a919a53dfb5eb47a798a9d8135601179630e6308023f30e1f9b13301d

Dropping

SHA256 08ed972fb6d88ef000b2825e2818810b282507ec90dcc406fa5999f507a71fc8

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2562590/

https://twitter.com/Iamdeadlyz/status/1633253641556746240

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample