MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3755eb8f78e65b8bf54279583995deaa3b7dc55f192b2ec80df204471f64080. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3755eb8f78e65b8bf54279583995deaa3b7dc55f192b2ec80df204471f64080
SHA3-384 hash: c8976c790eb85ff9a11dc8c30a872dd52a3b913494ae4429e1a6d9bf8dc5440761166008f345b12e3917137e1bd4402e
SHA1 hash: 8714ebb20b3174507498a51a86d3f1da4a9e700e
MD5 hash: 6ca0cd72acd293137a7aa149a046591a
humanhash: mars-white-nuts-london
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:448'000 bytes
First seen:2023-05-21 01:04:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f33507fc49ff617ecb248bee3af9a74 (2 x Stop, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:2uEZPdqXIQvqXx5CTB2wrEMrSCCAiLcI8AI2UFw1QAz67v7cTP:2Pda/qh5QB9EiBC5cI85dZk
Threatray 49 similar samples on MalwareBazaar
TLSH T1C3949EC392A3BC6BE92546728E3EC6F8761DB5524F046BD722586B3B04711F2D6B7302
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1109161606224a00 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc797927207_660716604?hash=FaAuUyjuLu6IoyzDc2RhVy3t8pD9lRppJ4zDT45QhJc&dl=qW8GKbKlk6xzZNLv9hQtXUIWqFpaBdMKLcyjAE1NwhP&api=1&no_preview=1#tit1

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-21 01:05:41 UTC
Tags:
redline
Link:
https://app.any.run/tasks/cebc2c17-7627-4a86-99b4-5c77d54daa08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.29322.BadIN.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/86289/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64696e3e50166e5524e2a3c8/reports/b80bb15c-f57e-4a5e-ae75-13f14ebec752/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b3755eb8f78e65b8bf54279583995deaa3b7dc55f192b2ec80df204471f64080
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/856511e2-ef14-4047-953b-b0575eca8f66
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1238386
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3755eb8f78e65b8bf54279583995deaa3b7dc55f192b2ec80df204471f64080/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-21 01:05:04 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wn2v5ohxrzs3rp2ue6kyhgk55kr3pxcv6gjlf3ea34qei4pwicaa._file
Verdict:
malicious
Similar samples:
0ad626b2514c0e0ce3a1158b7d7e17afef6ab0afc985af4b7e8cbbbc6f436501
RedLineStealer
1e6feb0749b0cfffd2e085d364667c6040cf008a59b0831a74c82db2256055b6
RedLineStealer
2ee97fca2aaaec7f5232546878134f3ae58ee53997338abf3f119f1b1051eeca
RedLineStealer
3e618b09bbab54dd0bd81e5ff61964768c527c998f5e9464a0239ca7ec23cadf
RedLineStealer
8f2486c896e10bb516f077a31e6d36c281c868ca4214ab44ee4d5306311d481e
RedLineStealer
9893ec0e2902925018922ca40cc3495001dec4ccd32137cc13566c74bd1438e1
RedLineStealer
e29ff3b2a901941f9b51de181a18a7730e01fbab155392d8c319002a88a116f5
RedLineStealer
ee2c5a26d45ebf62efd5afd3c9e25e14d44658a7f0ddb9c522154e9eee18923d
RedLineStealer
ef2baff18e38c81563a209be46e0abf3bdc5e05da6c2a8872287edd64901af63
RedLineStealer
fe531dc9fc72351d60ee3f1641595ffc76789f282e7078a4b7553cb8d031260e
RedLineStealer
+ 39 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/230521-bfhdhsfe39/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Unpacked files
SH256 hash:
ba6210d0adf7ad3dbcd1f315316f612cf7c3ce35956931dd6d315df0c0dff81b
MD5 hash:
d769619fb1913b2d31d7f80d2ab8f30b
SHA1 hash:
f3fa294b13bb1bb7cfbb819b0b8b95f04d7a90cb
Link:
https://www.unpac.me/results/a30efe09-4a9c-40f4-a3d1-7a0cf88f2007/
SH256 hash:
f704b0a86ba53be666bf7c21c657883ff171a4bbd6827041d9b4264a89c7d6a6
MD5 hash:
e1406289e9da2e8b1f4efd2a94976c48
SHA1 hash:
c4382262af543036d948f9d722a6bb44a5d4f8b7
Link:
https://www.unpac.me/results/a30efe09-4a9c-40f4-a3d1-7a0cf88f2007/
SH256 hash:
1098a4d4a6e4be38a7c80ba467f533cc05aaa6956dc1f10101229f38ffe9e573
MD5 hash:
7d31dcd6cb69f88e2fcabf2efb5f6936
SHA1 hash:
37875d14454f08ddbe04e2f4f8baa137b357efaf
Link:
https://www.unpac.me/results/a30efe09-4a9c-40f4-a3d1-7a0cf88f2007/
SH256 hash:
b3755eb8f78e65b8bf54279583995deaa3b7dc55f192b2ec80df204471f64080
MD5 hash:
6ca0cd72acd293137a7aa149a046591a
SHA1 hash:
8714ebb20b3174507498a51a86d3f1da4a9e700e
Link:
https://www.unpac.me/results/a30efe09-4a9c-40f4-a3d1-7a0cf88f2007/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3755eb8f78e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3755eb8f78e65b8bf54279583995deaa3b7dc55f192b2ec80df204471f64080

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by

Comments