MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c37f2c927bb9fa4dbeae35bdb1083a539d7c588ad5d5d1340fcfb686ad653786. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c37f2c927bb9fa4dbeae35bdb1083a539d7c588ad5d5d1340fcfb686ad653786
SHA3-384 hash: 22b9c0f9f450802a3722dc2d2114e55e157ffc0d8c1973a27461c58e55974054500298482b5e90a10f88cbb7e505d738
SHA1 hash: 43ddc0040606e20bd56138720d183e0327eb2766
MD5 hash: b255faaeb6c1b6a5730f05678be7b7d9
humanhash: lemon-fix-summer-michigan
File name:24030756.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:570'880 bytes
First seen:2022-03-19 05:08:29 UTC
Last seen:2022-03-19 06:42:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:oxhOkZxcoxCi9fVRvqQS03ULaHNqrxlKIQNoKKQEZrED/OKfd:2Ok/cFi/RvqkEaHNYK3XrP
Threatray 5'317 similar samples on MalwareBazaar
TLSH T16CC423F252863DACD48B0376FF107B52967E111486C8E24FB79E4CB52C89A9EC9E46D0
Reporter adm1n_usa32
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/252906/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/623565720cd58dbd92bbf5ed/reports/280a5ebc-b48b-4067-b9a9-e387cd55eea5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afcd17b8-a4d2-44d1-ba01-5d096b3890ac
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/960027
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c37f2c927bb9fa4dbeae35bdb1083a539d7c588ad5d5d1340fcfb686ad653786/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-03-19 05:09:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yn7szet3xh5e3pvogw63ccb2kooxywek2xk5cnapz63inllfg6da._file
Verdict:
malicious
Similar samples:
2843266d15224e0cc4dbcb65e7711c495698e8564aa5568ccba42f740fc1a3e4
RedLineStealer
aaab95522dafbf95c7822847422e93687ac5c2f327ee93c9e38738a1cfaddc34
RedLineStealer
b9b38b6fc352f4c3753aede91685065a79737687194bd12a9ae785a93855c3dc
RedLineStealer
ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b
RedLineStealer
e56725877b62f2a5804e1793035b8d788980e607ae9fbf79b050a09a85fa9843
RedLineStealer
f4e287439a21158230026a83cead6e14fce27dd6527976fbd480a00260b98fbd
RedLineStealer
+ 5'307 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220319-fs5rsscbh7/
Behaviour
Program crash
Unpacked files
SH256 hash:
27c5e2527ff957cbd3f2c728e655137773007446f6ed7373355685b3ce65f60f
MD5 hash:
a0915fb31134c1608251cbedb8cc4921
SHA1 hash:
08b8bd6afb7bd209794930bcb013925f149c826f
Link:
https://www.unpac.me/results/0e2b70a8-2ae2-4467-99a8-38e9088e379c/
SH256 hash:
433293737faa0055a9d13bf6e0d9f6dbed1662a5e6e52b6b8bcf740a9be3fd17
MD5 hash:
95ebc21c332f56df406d5434e701cdd2
SHA1 hash:
1ca36f59a4bdf83a8cd8e6a17aea9b7071d08a41
Link:
https://www.unpac.me/results/0e2b70a8-2ae2-4467-99a8-38e9088e379c/
SH256 hash:
c37f2c927bb9fa4dbeae35bdb1083a539d7c588ad5d5d1340fcfb686ad653786
MD5 hash:
b255faaeb6c1b6a5730f05678be7b7d9
SHA1 hash:
43ddc0040606e20bd56138720d183e0327eb2766
Link:
https://www.unpac.me/results/0e2b70a8-2ae2-4467-99a8-38e9088e379c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c37f2c927bb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/c37f2c927bb9fa4dbeae35bdb1083a539d7c588ad5d5d1340fcfb686ad653786

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/252906/

Comments