MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a
SHA3-384 hash:	bc5239cbef2856a08645af3fce9bb51f54431b0d06b9f78bc5a3d4c6f1571821c019f836e2d9b8cfeee22bb4464fe068
SHA1 hash:	aa871c424718bcca99e2a51001d6b8928fede2d8
MD5 hash:	2dfdc4c453fedfdd4767a10c9ec58414
humanhash:	texas-jupiter-venus-kansas
File name:	2dfdc4c453fedfdd4767a10c9ec58414.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	714'752 bytes
First seen:	2021-07-30 13:44:06 UTC
Last seen:	2021-07-30 14:49:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3e01aba115e2809fc1e1e81e4276a146 (1 x RedLineStealer, 1 x RaccoonStealer, 1 x GCleaner)
ssdeep	12288:6gd0GTfmr+V2j0ZwdJAiwV+a8vaKu98+bj9pDHdMBV:Vd1t2jzdJVHvy8+P91Hdu
Threatray	1'570 similar samples on MalwareBazaar
TLSH	T101E4F130BAD0C031E5F726F84AB9D3B8752D7E61A73410CB22D52AEE56356E9EC30257
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

583

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2dfdc4c453fedfdd4767a10c9ec58414.exe

Verdict:

Malicious activity

Analysis date:

2021-07-30 13:47:05 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/cbcce2db-bf21-4920-afcc-94af1d3b144b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/175298/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.23109.6546.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50fc7d0e-c52b-421a-8086-c12fbb9314e3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824505

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-07-30 13:45:06 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wn4xe6ned34f4vu22eaipcgjwuzbhy7te3xcwon52c4biznfarva._file

Verdict:

malicious

RedLineStealer

5940ba33eed4285ac4adc24b4196e812c7f11e20e45290cbf89c856a80c7cac8

RedLineStealer

9cefdffb73daf4a060fd9b44803eec6795db46ed96d49e1c6cb34e4224979321

RedLineStealer

b00dc3b0fb77b5893417308a832cfaabd7440230a1800807444af33f0475b005

RedLineStealer

b437017fcf0a4f6444183cbe1533b1f0901b83b501ac190adc787de4cc7f11a6

RedLineStealer

df28d049b131a8dec56e3bbfff4ca4b419a0a04a41af70b5fce5be80b10385a3

RedLineStealer

e9e058a97ae8281cf6435c759d712e14f91640aff79cc8a39dc605c46c042c60

RedLineStealer

f1b072a4977439e50f66ceaa57528f53227d95fe762d0cd5250c45ed59e3ee9b

RedLineStealer

+ 1'560 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 30.07 infostealer suricata

Link:

https://tria.ge/reports/210730-h38nz2g8fe/

Behaviour

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/ee14a3e9-63e8-4c63-bc04-ce3b3060830e/

SH256 hash:

b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a

MD5 hash:

2dfdc4c453fedfdd4767a10c9ec58414

SHA1 hash:

aa871c424718bcca99e2a51001d6b8928fede2d8

Link:

https://www.unpac.me/results/ee14a3e9-63e8-4c63-bc04-ce3b3060830e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.