MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a834bb0a2c49bd8a1920f754ca1788eaea57d3218e3bd0fd5770e5fa091a3736. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	a834bb0a2c49bd8a1920f754ca1788eaea57d3218e3bd0fd5770e5fa091a3736
SHA3-384 hash:	4418d244f12affab5771213aeefcc32b824825e3cb7a90afefcdfb405876fc2f264f4a9ac4c6a55d4f018678cecdb2b6
SHA1 hash:	77e2df1ee6b939dbd6e1c96cbc22520d89ab08a4
MD5 hash:	3dd8de2068a9bd1e5f5df58a2c9d23c6
humanhash:	magazine-charlie-sweet-colorado
File name:	3dd8de2068a9bd1e5f5df58a2c9d23c6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'871'472 bytes
First seen:	2022-03-03 08:34:54 UTC
Last seen:	2022-03-16 23:30:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fddc083fa31a17c938d0a17ec7cd3025 (141 x RedLineStealer, 4 x RaccoonStealer, 1 x Formbook)
ssdeep	98304:10E9th5IPQoMwvzQauN2D5Kyd41PotJJ2wzurzXoPtDEtTI22hegBNG:10Q5iQauN2VKy61wtr2iMYPt9j8aI
Threatray	4'883 similar samples on MalwareBazaar
TLSH	T1CC3633E870C90A0CCE48EAB838F9F191757020A1D9F716672ACBCEC19B75D669C46D4F
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246768/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Sending a custom TCP request

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/523efe7c-eb4d-4727-9689-537b0c98dcea

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949853

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a834bb0a2c49bd8a1920f754ca1788eaea57d3218e3bd0fd5770e5fa091a3736/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-02-21 06:09:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=va2lwcrmjg6yugja65kmuf4i5lvfpuzbry55b7kxods7uci2g43a._file

Verdict:

malicious

RedLineStealer

0caba418b4b1ec32a00cdd52e3f6f28b7e8de0ffec030cfd8ae661538619b72b

RedLineStealer

24fe35fea083b89f0cc62ef8b9df0de29395be57b0ee1b160229d667785b6bf0

RedLineStealer

29e2eb857dc6f1b5c2ce97acdad6c3957cbb8dc61b3a5dcaa81e9e925bc006a5

RedLineStealer

c57ec94c7fed128887694b07d817af02c2d19aac98d8d1fbd4004a8accee4ee5

RedLineStealer

f4036a8affaa6f227d3fce3a98b5b9bb752cd434f04587ea4105c58fc96404e2

RedLineStealer

+ 4'873 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220303-kg2cfsaad5/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

6ec73213f841d4480265990fc1e004f5f0952b0c184bfe4fd79723133134dbe6

MD5 hash:

cc7ab773b6341d844ea0a450db1d3b88

SHA1 hash:

586ba6717553f418dec7ce97da304dded9fcf5a2

Link:

https://www.unpac.me/results/c8805461-c14b-4ec4-824f-0581a2922fd6/

SH256 hash:

e329ad9116a0e12f83e058af5ed981a63de81c2966fbe15e15011a047f5ae08e

MD5 hash:

8e45e0e8745105942537638a420d359c

SHA1 hash:

4a14e8374b81d9b5d9a9e03c20916a2ac83d851b

Link:

https://www.unpac.me/results/c8805461-c14b-4ec4-824f-0581a2922fd6/

SH256 hash:

a834bb0a2c49bd8a1920f754ca1788eaea57d3218e3bd0fd5770e5fa091a3736

MD5 hash:

3dd8de2068a9bd1e5f5df58a2c9d23c6

SHA1 hash:

77e2df1ee6b939dbd6e1c96cbc22520d89ab08a4

Link:

https://www.unpac.me/results/c8805461-c14b-4ec4-824f-0581a2922fd6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a834bb0a2c49bd8a1920f754ca1788eaea57d3218e3bd0fd5770e5fa091a3736

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/