MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b35e9c0d9230cdcf4531fa84184e99f79f4de3fd91264f7ab3ce7d23246a8669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b35e9c0d9230cdcf4531fa84184e99f79f4de3fd91264f7ab3ce7d23246a8669
SHA3-384 hash: 530bcd3e03c0b1948d4696db82ec683a48c442af34e58294f5f0363ac409989eb3c010b814d850ffc76452b849299586
SHA1 hash: 38094ac01c3ec7ad020e6c3544314f2647c7aafa
MD5 hash: 31552485c982bbf44b3339285d67739b
humanhash: tennis-delta-foxtrot-mango
File name:31552485c982bbf44b3339285d67739b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:326'144 bytes
First seen:2022-07-11 16:13:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc9439d0d3977722a2b07bec74e5037b (2 x RedLineStealer, 1 x RecordBreaker)
ssdeep 6144:nZy890/bAFJ3Moib3XLW3iDhNPlctEheV5OVdz2RkSiga:nE8cY3ob3XLrhRTeWXz2KX
Threatray 6'172 similar samples on MalwareBazaar
TLSH T1BC64E031B3F0D831D1A2CE355430D7A12A77BC626975958BF394BB2F2E743816A703A6
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c01edecea68c8ccc (154 x RedLineStealer, 98 x Smoke Loader, 36 x Stop)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
31552485c982bbf44b3339285d67739b
Verdict:
Malicious activity
Analysis date:
2022-07-11 16:18:04 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/74fdea5f-ee2f-4e5b-8193-90c1773e2e87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286343/
Detection(s):
Win.Packed.Fugrafa-9955718-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypter greyware packed ransomware
Link:
https://www.filescan.io/uploads/62cc4c4e22051a09ca71fa8c/reports/912b81d4-4523-4852-a242-63489b40cd48/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/103e4fdd-16af-40c5-a960-ba4458713d55
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028758
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b35e9c0d9230cdcf4531fa84184e99f79f4de3fd91264f7ab3ce7d23246a8669/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 16:14:08 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnpjydmsgdg46rjr7kcbqtuz66pu3y75sete66vtzz6sgjdkqzuq._file
Verdict:
malicious
Similar samples:
03822860cec41faac055e0923da51e3a7d71d8c3d95793db4fbf7e1f9ac34942
RedLineStealer
4794d682adf23fec5f738cc3477c955eba198be11ebcd98560064d7b7d7424af
RedLineStealer
5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9
RedLineStealer
b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01
RedLineStealer
b180216a50259f6c1602343a6da48ccd1b9bc293e0d6ff4f1336fa212c482ce6
RedLineStealer
b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0
RedLineStealer
e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061
RedLineStealer
f7491341509fe582a63437f0f92c3c66a6f4c98c20ff8e6574e1ecf844d4fa19
RedLineStealer
+ 6'162 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mariobalotelli discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220711-tpmzgaafhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.233.48.58:43014
Unpacked files
SH256 hash:
24bff82dd4080c5c7ae54ab90e298dd240fc1ead3dcf90004140d88ab40dc8e8
MD5 hash:
d0fe93e19db21ba4107b899a644dc810
SHA1 hash:
c1d486295b7e32a9804c6d80aa407573ae522437
Link:
https://www.unpac.me/results/ab959877-9e32-4191-a4b9-6f8122c70d88/
SH256 hash:
3d5b6295ec459e60f22cc41423a8194fa963f062b17782d32ac604ba92c6f2e7
MD5 hash:
c78ee71882533c38bd79fc6091b40362
SHA1 hash:
83d730bb8c8fa92440f2f5431c5839b3eed102b5
Link:
https://www.unpac.me/results/ab959877-9e32-4191-a4b9-6f8122c70d88/
SH256 hash:
a372264a36e8091da7eda95625e32bc4994b9ad4d04b6e0268970ccfb6e78780
MD5 hash:
374787251a04f7e4eade3d0f8e45a57e
SHA1 hash:
64bdec4306abedffb000b238f23a44c6cc5d7384
Link:
https://www.unpac.me/results/ab959877-9e32-4191-a4b9-6f8122c70d88/
SH256 hash:
b35e9c0d9230cdcf4531fa84184e99f79f4de3fd91264f7ab3ce7d23246a8669
MD5 hash:
31552485c982bbf44b3339285d67739b
SHA1 hash:
38094ac01c3ec7ad020e6c3544314f2647c7aafa
Link:
https://www.unpac.me/results/ab959877-9e32-4191-a4b9-6f8122c70d88/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b35e9c0d9230/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b35e9c0d9230cdcf4531fa84184e99f79f4de3fd91264f7ab3ce7d23246a8669

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b35e9c0d9230cdcf4531fa84184e99f79f4de3fd91264f7ab3ce7d23246a8669

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2256413/
Cape
Cape
https://www.capesandbox.com/analysis/286343/

Comments


Avatar
zbet commented on 2022-07-11 16:14:03 UTC

url : hxxp://89.185.84.28/mario.exe