MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a
SHA3-384 hash: eab1f00e6335a075f420f819f86d4d03c49ec4d2d792272fe720aab7f76b1e7fbcbe1aea4eef476b8854abcc0f226f68
SHA1 hash: 2ee98527e54dbb943f3f34046f66fbcc134be056
MD5 hash: b21336f35129415d339f0a8f2fc190f5
humanhash: jig-football-chicken-glucose
File name:b21336f35129415d339f0a8f2fc190f5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:692'224 bytes
First seen:2021-03-03 18:52:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:WMwKuHJh8teodM4fNDVbUs2yx+87xUeae6x9g7xbiD03:WMwKGGxU1e6x9gdm0
Threatray 136 similar samples on MalwareBazaar
TLSH 00E4D6A8206E50EDCCB67A366FE9B49D8FD52D017316752F3852338702739A1AB8F45C
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://7zipd.com/

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eea2e0d879ab44e51905b09180034dda.exe
Verdict:
Malicious activity
Analysis date:
2021-03-03 22:35:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89f8a1b4-0d8d-422b-9b52-725563328803

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/121941/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/627130
Signature
.NET source code contains very large strings
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wovmzxaqqxbdix5jpxxaqzbcmbrdilaporxpboi43cc7c47kk4va._file
Verdict:
malicious
Similar samples:
0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c
RedLineStealer
1c5de33a75e4c9bebf045767ff494bbc8c12eae88989ab91466815f86ee312ca
RedLineStealer
20510b85596724711f8fb4c7111055086f6e44845206038fa7b7c4bcfebf2265
RedLineStealer
2cd722bc4e448f38f4e79e69a48a7fc3f92c09586e50bc0f3f9f8dc5f4495fcc
RedLineStealer
4d94148f1dff68b03896e3fa5508c5b039b0a29b1fd90db01884137f2e9495a4
RedLineStealer
60a4e3f1d748ace4e6b82ba68fce30bf35b0f2e6bbbb9aa1e8d690c7406b744d
RedLineStealer
ab726a7fa6bca9c0d71686c601534a575530461a42160f7c74e3eae694f64012
RedLineStealer
b680156ec148a3ca3a4f0ebde18e88484430a9cd15e0f1ef5e4225a6d2bf00a7
RedLineStealer
c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68
RedLineStealer
c3e4279a43450ead744ae1ccb4eebce1feb6017ef3a8f2f0a1b3f602922913a0
RedLineStealer
+ 126 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline agilenet discovery infostealer persistence spyware
Link:
https://tria.ge/reports/210303-9z2dpb4gjx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
RedLine
Unpacked files
SH256 hash:
8301fafacebb37bdc368ae1eb174c2c8b9555b227b404c2f9b799fa5580a9222
MD5 hash:
758d12d7afff9839bbe1f8dbe2746620
SHA1 hash:
e56f1e5122e539233a2123c15532292a94e81e0f
Link:
https://www.unpac.me/results/1e656a4b-fa1a-4fbc-a318-ad1274d70cbc/
SH256 hash:
03d2af671364ef6ac796ff531869aba9ef543288cf74ef643389401acd7774af
MD5 hash:
caad1afe8444321996a1cdb0f6694be4
SHA1 hash:
3a2f2b05c06f2d61dc3252627ecc45492ab49122
Link:
https://www.unpac.me/results/1e656a4b-fa1a-4fbc-a318-ad1274d70cbc/
SH256 hash:
f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027
MD5 hash:
d66f89bf838fb52ed59d311a99aea214
SHA1 hash:
342525c4aabbb92abf51459081d34ed0f1cdc965
Link:
https://www.unpac.me/results/1e656a4b-fa1a-4fbc-a318-ad1274d70cbc/
SH256 hash:
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a
MD5 hash:
b21336f35129415d339f0a8f2fc190f5
SHA1 hash:
2ee98527e54dbb943f3f34046f66fbcc134be056
Link:
https://www.unpac.me/results/1e656a4b-fa1a-4fbc-a318-ad1274d70cbc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/993438/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/121941/

Comments