MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c3a0bcf3bdc430a810c776661f9b8ae5b1ca4e7199e32304e310388109d82a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c3a0bcf3bdc430a810c776661f9b8ae5b1ca4e7199e32304e310388109d82a2
SHA3-384 hash: 7307b40c558383990c0a2477c3fc7467e611c3ed23a2a34834e3df7517002f2df01db87f2438cb11488e66c3022015a1
SHA1 hash: 152e6bfae2fc47f3e0de176b6c26906a989ba024
MD5 hash: 4daf628da6f5b5702f4a00e81f0f20d3
humanhash: eighteen-batman-maine-happy
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:427'008 bytes
First seen:2023-02-02 05:53:38 UTC
Last seen:2023-02-02 06:58:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 51ceb91dba0ace98219e4727f07b1743 (12 x RedLineStealer, 8 x Amadey, 5 x Smoke Loader)
ssdeep 6144:2uLjOwNH9b90Nvr26uZYrl6wvZj+Djdr3Z+E7qokmXF9/CJTk637eQfnd5wIB:FFH26nwkr3ZpymXF9CJb7d5w
Threatray 15'206 similar samples on MalwareBazaar
TLSH T11C94BF82B2E0BC88F5358B71AF1EE7E4791FF9604E1877B61218AB1F18711E1C963725
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0d4f232b07060d40 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin
# of uploads :
25
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-02 05:56:49 UTC
Tags:
redline
Link:
https://app.any.run/tasks/2920fbcb-4528-4083-9ed5-e1a8bd76ef10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/359366/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63db4ffb89bd67c10fdc2600/reports/a1360859-094c-4dfc-9f77-9be607823066/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82e6d936-681c-4a21-9193-e97dc49c52c4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1163976
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c3a0bcf3bdc430a810c776661f9b8ae5b1ca4e7199e32304e310388109d82a2/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Suspicious
First seen:
2023-02-02 05:54:08 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nq5axtz33rbqvaimo5tgd6nyvznrzjhhdgpdemcogebyqee5qkra._file
Verdict:
malicious
Similar samples:
3baf17a23a490f68f9a92415e0bdcd81162f3fec71775de9442817edfdff8a2e
RedLineStealer
3daa3a818177dfaa9ac7f7d5e700d44ac3a11b4f0da40962d08e2c85925801e8
RedLineStealer
4d92e76a82e7547ac6830ecd29dd2080f1e96f4169bea947f8d1199a597679b3
RedLineStealer
6acee31b7d70a5d29bd227366ca6ff41aa3f40086fcb6cdac93181bbb4052bf8
RedLineStealer
755cee37572cd6adec4750735f2a6fd9cdb15dcf3c988d49771a1f5772b51705
RedLineStealer
a3727adaf2de6bae0a02b458c1d6477efaa333e32e26ff9ca59274af216ccb2e
RedLineStealer
de1c0019ba6049f083253597fa8b05028fd13c99c604896ab52a80d8fc436a1b
RedLineStealer
+ 15'196 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@2023@new infostealer
Link:
https://tria.ge/reports/230202-glwe8afb96/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Malware Config
C2 Extraction:
91.215.85.155:32796
Unpacked files
SH256 hash:
623528d7352d7f2f6332ee3d9803dd7723650aa389d74f214c655aaa2367bf2f
MD5 hash:
1836f46cf175fa052b5b621264de0cd1
SHA1 hash:
f4cfdc88021b2a3083cfd00ba398a657ccf9de26
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/b72df93a-f3fc-4978-ad3c-853d42d47314/
Parent samples :
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
62b6f858e363c0fc99260b004d1ce9a5d01162c05d822cc841bea375b8b995dc
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
ad8e7fb57b9a86ba5c438b0c1df78e2b490c9ecf21a246b1d9ab9cc6b4e61500
2c57cc2b80aebe7b02349c1e229d4628ccf7a6f50d50c7ffb2ab8fa882f62b90
baa5c6d54c809d20b8a2b5c2645f7c6d99c627e1a8e2bb844f071fbcb3cee6e3
cb6d4d5c5b2d13fd3500516555d5552e38c4999ff800d1a9edd8b2eb530b4051
9cfd4fc2b533f3911f6ec8b394ce0b65aae140f262299d2bb91e7e23c1b459bb
b16d0a9838d88be2a53c5d9ca5a1499bef53d0559e780c7d2dfd3fa53d913fd9
87285237de17eb4a4040d5d336d4dc555ee127fbdd0b75a9ce214a58e788f7ac
3c56f8f0c595e632de86f9aa5865aba341b0e51092eae70e39336467774668f7
a638a7e4463db53729556fe2295a74728faf87589009fa9e6764b8f172cd175f
469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6
d8e01062476f0cee7f7a804e33a1244012123542751243376c7e55f85aff73a5
d0eb3a7ceec84f6c5c5c654ece90b9cd1ef9e6ba455f7ceb4c824a0017896af9
700971a9880d4092cccf1f8af862e7ee32c358c79ead449db0c67fab8ee622d8
68196f08c518cad63ebf6538c76b49ac982fecdf4d1c2f004d60d3bfe8513f1b
82c1a672389c26c8aa9ddc2a09d8ed71f0b23f5fa493d9ff7ed71c53b19cbb18
00dd0bd82f4783fa842e6604598e40dd0ead0d3d5d0df5878c18dcf89032d1a6
6890c20621b891bbc399fc5295aed4538a146169751b73f1168abb9d4fd478f3
50699bf9784cab5ae73b37c7b213865f42cf2c936c87f0080ed5b882f7445203
2286dd3e3eae85e5aa331c9371bb6149bacbb394d8a38b33f1af34dfc1c82b2b
ae0d7c4bad7e8699d8a1004ac5995f3ff4c889254c3813f8a3aefed23e0bfa08
83d7fd2c93530ea64b25c9f3dedf6148266986a77e8259689119446f31993eb8
d9f99315c7bc826b74d77a60468a61bf4a8116906e06c264a9bb8b0ff110e0eb
4c512c3009ef6bc0a02abec84060b53953dbcbb0e87ef17251d1019293ada42b
7e92747ebdfb5e24f0fde62ea097f3c6a8366f04f19c9312e2c8ddf03f283af3
f0af1ec74da81f1333687a3e2eaff74c5d5576fec6a7d4f575d59fc82b148634
0354fd1add44f8ff4c683ba6b9a2c518f417e00b6c9d8d08bab0cc78a383464c
3b8b3da7192dc7e73a1f539d75ce4589050f62aa9d93a606aae9c9f8376eddd0
a3727adaf2de6bae0a02b458c1d6477efaa333e32e26ff9ca59274af216ccb2e
3daa3a818177dfaa9ac7f7d5e700d44ac3a11b4f0da40962d08e2c85925801e8
8ab7e5d4df7145d81a04a0d49c406ec8fda10c7f6e7507e29a29277cb154576b
191843e64eb15a8759ae09cf424276c7f231f7d19a526d215ffb0e53075027c1
ec3223e36b0e57a73d2b91a0fbef370915dc50c174b483658bc1390b7b5103eb
72e13ee3f2b24d3832d76a9356b89d3b0b4eaf04cd53a197e56447d00d72e418
fedc9389549072321e29de52764c0c38d7f0354df339dea4d68bbc8c31595e41
e015306e22f249bf9fb6e8a84610f817978af11f2a612f59e1f62597eafa76f0
631ea17c524a31a72bd97071aca991712c59b1b3b69857a5dbfed5a81af18a86
9a37f3c0878238fafdfcfa0bded56819ce029cadfbf110f843bac7e516763a6b
09cd10b5fa6e6fadbf9cb53fb2bed5ea2dffb8869a9e5eacaf859e0882283704
6c3a0bcf3bdc430a810c776661f9b8ae5b1ca4e7199e32304e310388109d82a2
6acee31b7d70a5d29bd227366ca6ff41aa3f40086fcb6cdac93181bbb4052bf8
de1c0019ba6049f083253597fa8b05028fd13c99c604896ab52a80d8fc436a1b
755cee37572cd6adec4750735f2a6fd9cdb15dcf3c988d49771a1f5772b51705
SH256 hash:
188bd143b0e808fb072c233aad773b7c89d1424e6032d17ae1520a1ecab1637e
MD5 hash:
ca8e6e790915296745c7365902b1d080
SHA1 hash:
a005eabb8152ed9b1fbe9dfc58e35315e30c0ad9
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/b72df93a-f3fc-4978-ad3c-853d42d47314/
Parent samples :
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
62b6f858e363c0fc99260b004d1ce9a5d01162c05d822cc841bea375b8b995dc
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
ad8e7fb57b9a86ba5c438b0c1df78e2b490c9ecf21a246b1d9ab9cc6b4e61500
9cfd4fc2b533f3911f6ec8b394ce0b65aae140f262299d2bb91e7e23c1b459bb
b16d0a9838d88be2a53c5d9ca5a1499bef53d0559e780c7d2dfd3fa53d913fd9
d8e01062476f0cee7f7a804e33a1244012123542751243376c7e55f85aff73a5
d0eb3a7ceec84f6c5c5c654ece90b9cd1ef9e6ba455f7ceb4c824a0017896af9
68196f08c518cad63ebf6538c76b49ac982fecdf4d1c2f004d60d3bfe8513f1b
50699bf9784cab5ae73b37c7b213865f42cf2c936c87f0080ed5b882f7445203
ae0d7c4bad7e8699d8a1004ac5995f3ff4c889254c3813f8a3aefed23e0bfa08
4c512c3009ef6bc0a02abec84060b53953dbcbb0e87ef17251d1019293ada42b
7e92747ebdfb5e24f0fde62ea097f3c6a8366f04f19c9312e2c8ddf03f283af3
f0af1ec74da81f1333687a3e2eaff74c5d5576fec6a7d4f575d59fc82b148634
0354fd1add44f8ff4c683ba6b9a2c518f417e00b6c9d8d08bab0cc78a383464c
3daa3a818177dfaa9ac7f7d5e700d44ac3a11b4f0da40962d08e2c85925801e8
191843e64eb15a8759ae09cf424276c7f231f7d19a526d215ffb0e53075027c1
e015306e22f249bf9fb6e8a84610f817978af11f2a612f59e1f62597eafa76f0
631ea17c524a31a72bd97071aca991712c59b1b3b69857a5dbfed5a81af18a86
9a37f3c0878238fafdfcfa0bded56819ce029cadfbf110f843bac7e516763a6b
6c3a0bcf3bdc430a810c776661f9b8ae5b1ca4e7199e32304e310388109d82a2
6acee31b7d70a5d29bd227366ca6ff41aa3f40086fcb6cdac93181bbb4052bf8
755cee37572cd6adec4750735f2a6fd9cdb15dcf3c988d49771a1f5772b51705
SH256 hash:
f2415e8ac02120f2cd1170eeef80ab710a074e41dbda7cf5a9af96c0e5814496
MD5 hash:
f8530ad04bd70e52c9f1e6427c021401
SHA1 hash:
50c408e94fc2ab9a679b6b23bb187c534a5cdaac
Link:
https://www.unpac.me/results/b72df93a-f3fc-4978-ad3c-853d42d47314/
SH256 hash:
6c3a0bcf3bdc430a810c776661f9b8ae5b1ca4e7199e32304e310388109d82a2
MD5 hash:
4daf628da6f5b5702f4a00e81f0f20d3
SHA1 hash:
152e6bfae2fc47f3e0de176b6c26906a989ba024
Link:
https://www.unpac.me/results/b72df93a-f3fc-4978-ad3c-853d42d47314/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c3a0bcf3bdc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c3a0bcf3bdc430a810c776661f9b8ae5b1ca4e7199e32304e310388109d82a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2403396/
Cape
Cape
https://www.capesandbox.com/analysis/359366/
  
URLhaus
https://urlhaus.abuse.ch/url/2498781/
  
URLhaus
https://urlhaus.abuse.ch/url/2440457/

Comments