MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3c79825b29e0f0e91efd3aacdb363d28a09b602a93cdea9fd6a9ec0bea2e059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3c79825b29e0f0e91efd3aacdb363d28a09b602a93cdea9fd6a9ec0bea2e059
SHA3-384 hash: 5e9cb3d4c3ea4090ff275034b44c9928c9779a3314df59b7bbd6ba2e02077901ffab32e38805219706cd1f738536d2bb
SHA1 hash: 224d4e06a8456a2089ba37a329e1d5b14e90f298
MD5 hash: ea529611c448b77d40502469d26bd0f8
humanhash: two-six-stream-juliet
File name:ea529611c448b77d40502469d26bd0f8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:278'016 bytes
First seen:2021-07-13 18:36:42 UTC
Last seen:2021-07-13 19:51:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 694cefd794672cf1ddeb3defda78755b (1 x RedLineStealer)
ssdeep 3072:dsQfV+oax0ZgWIqmgyZfZZDE+7SKvAKP3x26H//LPPdmk15Kg15ia5eykMOHS:CoMY0ZF7SKIK/H/T1qg1GL
Threatray 887 similar samples on MalwareBazaar
TLSH T11C44DF1272E0D831DAF2053464B8C7A46A3BB8721670924FB7943B7F5F712D2AA7531B
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ea529611c448b77d40502469d26bd0f8.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-13 18:46:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3c163de-eaaa-40e1-bfcb-daf0eb58fe70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Zusy.393165.29707.15724.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21f20cd2-9e95-489e-aef5-2ae93f9493bc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815832
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential time zone aware malware
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3c79825b29e0f0e91efd3aacdb363d28a09b602a93cdea9fd6a9ec0bea2e059/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 18:37:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpdzqjnstyhq5epp2ovm3m3d2kfatnqcve6n5kp5nkpmbpvc4bmq._file
Verdict:
malicious
Similar samples:
254f8a160343897dc3e748af2f4c2164455afe3daaa75654c0a7e13483a43f0c
RedLineStealer
3d0929a26ec285ea95bf4bdfa3fa81de027ac3e908e25240c96fcb548350aa11
RedLineStealer
49e784cd4664d480317bc3e726821d153e14ebc8b335cebce963ec427e4dcea9
RedLineStealer
8c031056d718f770dde763f4e1db77f6b129cb9f71129461a2fc7a3f893a5bb6
RedLineStealer
a4ba89389929db2c9baa52e9b858164dad161d53ba61a73712a2c3ba92b49ec5
RedLineStealer
d1393748b163640113850583346ee301192def81a399142aa276691eecd4314a
RedLineStealer
d59ae43affeee4773c89a3bddf6da80f88e86dc5c91184890864f97fc7cd5f5b
RedLineStealer
de712d2797a18f9953bfcf772407c71a74daa4fb5ff09125ae7076476073ba39
RedLineStealer
f987e604cea843136237baea2181b45467bbbf2155fdd7c51350dfa84ec051cc
RedLineStealer
fb0303e801dbca5a2c0ca700ea1e5b4d404b16089c066542790056a15a5dcab3
RedLineStealer
+ 877 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pudt01 infostealer
Link:
https://tria.ge/reports/210713-pjhw4zbw9j/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine Payload
Malware Config
C2 Extraction:
176.111.174.254:56328
Unpacked files
SH256 hash:
3a49b4ee6415a46d19d3a40242dc885960b333abe033dbf3f13093b7cb76efb7
MD5 hash:
a07c7cae6969e633d6c09a4284faf667
SHA1 hash:
fe785beccc276455403bf818ceab00e734f7cd53
Link:
https://www.unpac.me/results/ff67efb7-2450-4ef3-9ca3-0198099336df/
SH256 hash:
74ee794fb5bd2f7f8dd391e3df8574260e5633c4e9b2383c8339770bb35ea73c
MD5 hash:
90d2dbdeddb5db699925ae1142839c30
SHA1 hash:
e767eebd9e0caa4cbc02b292da997097172c2b56
Link:
https://www.unpac.me/results/ff67efb7-2450-4ef3-9ca3-0198099336df/
SH256 hash:
de9be405a6d7efcc48206a721012853b4e9ab7f8dcdc8b720c81b68f1dbe6dae
MD5 hash:
e818e2a12b0023c38ec55f6bf5c1e562
SHA1 hash:
d182f7f994635a1d6fa6c4a0d5f2b2f177c914f1
Link:
https://www.unpac.me/results/ff67efb7-2450-4ef3-9ca3-0198099336df/
SH256 hash:
b3c79825b29e0f0e91efd3aacdb363d28a09b602a93cdea9fd6a9ec0bea2e059
MD5 hash:
ea529611c448b77d40502469d26bd0f8
SHA1 hash:
224d4e06a8456a2089ba37a329e1d5b14e90f298
Link:
https://www.unpac.me/results/ff67efb7-2450-4ef3-9ca3-0198099336df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3c79825b29e0f0e91efd3aacdb363d28a09b602a93cdea9fd6a9ec0bea2e059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b3c79825b29e0f0e91efd3aacdb363d28a09b602a93cdea9fd6a9ec0bea2e059

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393122/
  
Delivery method
Distributed via web download

Comments