MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA3-384 hash: ea5120c62394d2fe2dccc3d0de97e7b63db341de86bb35d210af800f6caa02415de1245f40e290b268b0967b86fb1b5e
SHA1 hash: 3cbd4ff5252f1505471ba80608345d5fd8b300a8
MD5 hash: 43bbed8db3d574acd479bb95fdaeb89f
humanhash: saturn-mexico-cola-comet
File name:cd3b625cb2fe094def21db9f7261c9d83873471dd3ef0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:370'176 bytes
First seen:2023-08-14 01:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b2ecd2f1e677ff2d380d045dde6c6686 (2 x RedLineStealer, 1 x Rhadamanthys)
ssdeep 6144:kChTLg/abRhtQ8c4UrZqlvnTfbCEJ/faO2DR+huD4NA:ksE/abRhK4UeXfaOqw04NA
Threatray 9 similar samples on MalwareBazaar
TLSH T12C7402217682D071C19F58315832DFA16BBF74375AB8484B37650A7E4F612D2CA3B78E
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 67636765e3c756a1 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.214.55.181:36116

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
cd3b625cb2fe094def21db9f7261c9d83873471dd3ef0.exe
Verdict:
Malicious activity
Analysis date:
2023-08-14 01:36:29 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/a79a2a2a-da03-4161-bdf7-0379b5ff5e91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442542/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102801/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64d985046409f246e14138d9/reports/682415b6-5aea-4e3b-af3b-78143fab56a8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/236eeeaa-129c-4b01-b8cf-1cffe027898c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290738
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 01:36:06 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zu5wexfs7yeu33zb3opxeyoj3a4hgry52pxqma2fyoi32evpqs4a._file
Verdict:
malicious
Similar samples:
23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3
RedLineStealer
690206b7cf8cb74aa8c1d253d94e5fc8d9ca8944e433aa9302e092c028fcc0fb
RedLineStealer
6cbc2518baeccb2e4f4377a999d99900dc173e6ecc64f630247e0ddc4258693f
RedLineStealer
85c917e7448dad92ecc81787e6441b6b9caf55bf49b706aee38e8850691ab042
RedLineStealer
b88f415e11c14276459d2211fa89e8e44c7790a39c258fa5f8ba9db8b07b84ec
RedLineStealer
c46f2fcce113e720cfd68123663b96ea24203591c40caafa70cb518fa9e31fac
RedLineStealer
cfd50ebd68ef10d129a02abda73eaf641212107379c094b1e84d50e0f7e5dab5
RedLineStealer
e1d680bc0112e599878b0c7fa09c89082d4d2d8620ed5e1d3a697083741c13dc
RedLineStealer
e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware stealer
Link:
https://tria.ge/reports/230814-bz9bcaad9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
5b72c065ce1368b7f714404934442927cd172ad8130c403c1e982d9233ab1954
MD5 hash:
198aa3f83ecc458876c4ba1fd287b3c9
SHA1 hash:
cd41ad7b620e6143c955d472d3da1ab59c201764
Link:
https://www.unpac.me/results/fcfadbbf-36db-4acb-a5b6-790c0e15fad5/
SH256 hash:
65eb5864e6061796eff950fd53e7379c807c3ec00819e4a1af26d3149d873f7a
MD5 hash:
4fd86c9d42d3d2e880f27510c30b4b45
SHA1 hash:
571d00ae440986928e59d7187d091870f49ed192
Link:
https://www.unpac.me/results/fcfadbbf-36db-4acb-a5b6-790c0e15fad5/
SH256 hash:
299cc205133f3e6d03b15e9d86ef2a319ceab5ab28e750f9ec77bc259056ef15
MD5 hash:
1857297f0a74c06f5bbd4adf5fc60ade
SHA1 hash:
4649efbb15acd43420dbc7179576b7d8f8df4438
Link:
https://www.unpac.me/results/fcfadbbf-36db-4acb-a5b6-790c0e15fad5/
SH256 hash:
3dfe7e55dda6b65244b2d75250ad79a60a155c6867740491c79c96100589ec2a
MD5 hash:
6b0a997e92d178c5b2a9c9fd655c0685
SHA1 hash:
3a92677eba2074d7b7ce070b95a946a8655094b7
Link:
https://www.unpac.me/results/fcfadbbf-36db-4acb-a5b6-790c0e15fad5/
SH256 hash:
cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
MD5 hash:
43bbed8db3d574acd479bb95fdaeb89f
SHA1 hash:
3cbd4ff5252f1505471ba80608345d5fd8b300a8
Link:
https://www.unpac.me/results/fcfadbbf-36db-4acb-a5b6-790c0e15fad5/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd3b625cb2fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/442542/
  
URLhaus
https://urlhaus.abuse.ch/url/2704413/
  
Delivery method
Distributed via web download

Comments