MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af3bf861bae05aaaea96d97ae10a56fff11d9158cdd61198334871a578b4ca81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af3bf861bae05aaaea96d97ae10a56fff11d9158cdd61198334871a578b4ca81
SHA3-384 hash: b07f944a5fb2737d383c3521c99b0cbf066f9797166a6b07137402d7d740fe5791ab02dd27a99c280320ed6bc126e085
SHA1 hash: 565499ffde5862897a39d47d462fc85fc309e4f3
MD5 hash: bb879051323108e1131809141a06421c
humanhash: oregon-nitrogen-quiet-cola
File name:af3bf861bae05aaaea96d97ae10a56fff11d9158cdd61198334871a578b4ca81
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'159'168 bytes
First seen:2023-10-10 11:40:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f727a975c44a2925ace416e4a5ad2d8 (2 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 24576:/OrtUWbd/HfetRrjIVI9OtNjI3Z3r15j1fRofLpbnmjdPGdtaW5AYChLHJ:/IUWd/etVI6OzjMv1fRElGGveHJ
TLSH T1D535DF3CADACC636CC2E5A7049C68BDC47657FD02D2C588E37D539084BF6142A698E9F
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d486e0cccce8b4a8 (2 x RaccoonStealer, 2 x RedLineStealer)
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af3bf861bae05aaaea96d97ae10a56fff11d9158cdd61198334871a578b4ca81
Verdict:
Malicious activity
Analysis date:
2023-08-07 13:21:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3622eae-dbb3-4d38-b195-113ba3d79bac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Trojanx-10003922-0
Create hunting rule

Win.Trojan.Generic-10004069-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug aspack dllhost enigma enigma_virtual_box hh lolbin packed packed rat razy regsvr32 replace
Link:
https://www.filescan.io/uploads/6525381540343f27c675ab8a/reports/dd096e3c-dc68-4205-a660-1cd3a3362a5e/overview
Verdict:
Malicious
Labled as:
Razy.Generic
Link:
https://www.hybrid-analysis.com/sample/af3bf861bae05aaaea96d97ae10a56fff11d9158cdd61198334871a578b4ca81
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00028247-2d61-430e-a349-c0a074aacff8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322859
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af3bf861bae05aaaea96d97ae10a56fff11d9158cdd61198334871a578b4ca81/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-07-30 04:13:00 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
26 of 36 (72.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v457qyn24bnkv2uw3f5occsw77yr3ekyzxlbdgbtjby2k6fuzkaq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
aspackv2 persistence spyware stealer
Link:
https://tria.ge/reports/231010-nswswsfb38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
8b0e2f19cb991a792369b5fcbde10d3964c804df736b3ff3df22aac862bdbac5
MD5 hash:
12e85434d2cd716c6c0b64bbe3096586
SHA1 hash:
f574bfe083712762b8e1d0c1f36ba83b347dbd60
Link:
https://www.unpac.me/results/e19d7ad1-6512-4c17-915d-c8f35463581a/
SH256 hash:
fbd637161406b6f4a2625c3acf069d56905d2079f6f97d7c92e1ba80e9e3ff73
MD5 hash:
b0e9608be81f0fc702272fb195c0397b
SHA1 hash:
c1e7d2d6b0a164c97c202685be0c8741c6414341
Link:
https://www.unpac.me/results/e19d7ad1-6512-4c17-915d-c8f35463581a/
SH256 hash:
95349cbb0ce9bd2bb939c04e611750eca5d1ac1b8baa53641c28c147a59dc725
MD5 hash:
95b2c0f892fe4c15ac1d4929bcb54df1
SHA1 hash:
b13abc14da4b7f1c0a8f5aacd98f0c6fb18873fd
Link:
https://www.unpac.me/results/e19d7ad1-6512-4c17-915d-c8f35463581a/
SH256 hash:
631ff54eb8268616398a6d6837e6d72dcac1722e68dc9e3cb3385459e2b167f5
MD5 hash:
ab77f7db4d68b392e7c52b3144ba31be
SHA1 hash:
9a0b122491c650671f986492d389cc3afe248787
Link:
https://www.unpac.me/results/e19d7ad1-6512-4c17-915d-c8f35463581a/
SH256 hash:
67df2c608e7e1898b8be0bf1e77b7e2cc9a39a178a09d205413e3d3c8ef89886
MD5 hash:
6562a0e42a0ce37d3d7ce3616836c3e8
SHA1 hash:
4bd6d7c4b5b1c926955eed4254facb9abbbb455a
Link:
https://www.unpac.me/results/e19d7ad1-6512-4c17-915d-c8f35463581a/
SH256 hash:
add2371f1c02ed49446c479caa6890d84e51a1cf665f05ee17c16a0957c1db8e
MD5 hash:
ab7a95bc7eb3b33b45bd718780c1d36c
SHA1 hash:
1c104c6ffa79d73249882886a34080ffc5042e4e
Link:
https://www.unpac.me/results/e19d7ad1-6512-4c17-915d-c8f35463581a/
SH256 hash:
af3bf861bae05aaaea96d97ae10a56fff11d9158cdd61198334871a578b4ca81
MD5 hash:
bb879051323108e1131809141a06421c
SHA1 hash:
565499ffde5862897a39d47d462fc85fc309e4f3
Link:
https://www.unpac.me/results/e19d7ad1-6512-4c17-915d-c8f35463581a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af3bf861bae0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af3bf861bae05aaaea96d97ae10a56fff11d9158cdd61198334871a578b4ca81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ASPackv212AlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:ASProtectV2XDLLAlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_EXE_Packed_Enigma
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Enigma
Rule name:INDICATOR_EXE_Packed_Loader
Create hunting rule
Author:ditekSHen
Description:Detects packed executables observed in Molerats
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Unknown_PWDumper_Apr18_3
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects sample from unknown sample set - IL origin
Reference:Internal Research
Rule name:MAL_Unknown_PWDumper_Apr18_3_RID312A
Create hunting rule
Author:Florian Roth
Description:Detects sample from unknown sample set - IL origin
Reference:Internal Research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments