MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce3ce7731b94e9baa021d47e97b6b0cf0f3634579feba279871e4da58452f5b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce3ce7731b94e9baa021d47e97b6b0cf0f3634579feba279871e4da58452f5b0
SHA3-384 hash: 29e84fc83615eab9cd9eaa018e10baf0c9526f76ff5d9c5412dd23185773584561f82b2a4d15d14616781c782a773940
SHA1 hash: 56a7f99fc287b488d24bbe9ebf2c97ec708f40e7
MD5 hash: afb5f20fcf96bed84adb7d81da96756b
humanhash: robert-lake-william-twelve
File name:afb5f20fcf96bed84adb7d81da96756b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:479'232 bytes
First seen:2022-03-17 12:52:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ca9b05a489def699a29df5061ef8fa2 (2 x Smoke Loader, 1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 12288:BsQsnalmbrampCa2w9UZB5hhsl0zeM0e33uZ2HPWQVHO48i:Vs+yraa2w9UZB5hhsS00eZ6BO4N
Threatray 12'888 similar samples on MalwareBazaar
TLSH T161A4C010BA90C035F5F711F8A9BA93ACB93E7AA15B7050CF53D42AE956346E4EC3131B
File icon (PE):PE icon
dhash icon f8e8eceae4f8989b (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
afb5f20fcf96bed84adb7d81da96756b
Verdict:
Suspicious activity
Analysis date:
2022-03-18 01:04:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/042ce7fa-6225-4cfc-94db-918da5cecd4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251944/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9565/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62332f3bb94fb38cb498a752/reports/15f52dd7-9f25-4919-b4c5-17efeaf51367/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e71a35a-d15e-4e09-9b72-4d6056c60df5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/958715
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce3ce7731b94e9baa021d47e97b6b0cf0f3634579feba279871e4da58452f5b0/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-10 15:28:55 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
26 of 27 (96.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zy6oo4y3stu3vibb2r7jpnvqz4htmncxt7v2e6mhdzg2lbcs6wya._file
Verdict:
malicious
Similar samples:
077aababb5209113a9c4a63e03c17830e27e6fe3f5c58344bb552ce221fad7c7
RedLineStealer
0f0bbf5596625740d4b2d2b8701fbdd7d07f214b1ae67d753b58025504ffe067
RedLineStealer
376171414918e59ebc1981b6f61e7504543764268cc41a623df281ba2bb4cf97
RedLineStealer
4085ab42a1fdb112b69ddd3c800e14db649689cbb20977363a11abea97586882
RedLineStealer
8b6318c05cdbd64828da21d58cc6ded6dbaaf4e445827cfca04818600476770a
RedLineStealer
9b5f11cb636c00558e47f9c3d5a706c340b7b8ac34edf80cb71cf7ec70091dca
RedLineStealer
ac78847643cdc130d273246124326bf004cab019f0b4aede23fb9f949df17f4c
RedLineStealer
c5ecc9c84b230535de6333c8559c4e7d8dc66834fddcb6058fe1cd3569076295
RedLineStealer
dcf51fb55020930d3b0349f43e0f53099c3329bb181387419f8fa28040cee35a
RedLineStealer
fe190943733db4d17a62013c2a8028ea4735d47903c08def8e0d4581737919c5
RedLineStealer
+ 12'878 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:buildmn999 infostealer
Link:
https://tria.ge/reports/220317-p4ngbseah4/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine Payload
Malware Config
C2 Extraction:
169.197.141.182:47320
Unpacked files
SH256 hash:
e04a0b829a4d31d01c581fcb50d8a853aefdbb5035dd18b0f7abd7855b8ed4cf
MD5 hash:
d518dbe91418d5d0940c413f853c041a
SHA1 hash:
51774e93f021fa62338b7796be89532079d36ca2
Link:
https://www.unpac.me/results/74fa0f52-5036-4abb-9372-df53ca839974/
SH256 hash:
304d2026e70b3a778b747241c97604fbd36b831528712a5aa496980f1f40988a
MD5 hash:
244ec816e6a7dfab6b9410ab1be1f384
SHA1 hash:
629a21972aae1b95ca291a8e8410d7d4f24f5e78
Link:
https://www.unpac.me/results/74fa0f52-5036-4abb-9372-df53ca839974/
SH256 hash:
804d2280d17ab4710494d71d7324f0c7ba1a570379e5397401c51d4e95614e69
MD5 hash:
9389c9ad4bb2383514abc655dd356422
SHA1 hash:
ed0a3cba0779f73c99f7ee7c77e4cd8c9052ae13
Link:
https://www.unpac.me/results/74fa0f52-5036-4abb-9372-df53ca839974/
SH256 hash:
ce3ce7731b94e9baa021d47e97b6b0cf0f3634579feba279871e4da58452f5b0
MD5 hash:
afb5f20fcf96bed84adb7d81da96756b
SHA1 hash:
56a7f99fc287b488d24bbe9ebf2c97ec708f40e7
Link:
https://www.unpac.me/results/74fa0f52-5036-4abb-9372-df53ca839974/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ce3ce7731b94/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce3ce7731b94e9baa021d47e97b6b0cf0f3634579feba279871e4da58452f5b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ce3ce7731b94e9baa021d47e97b6b0cf0f3634579feba279871e4da58452f5b0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2101899/
Cape
Cape
https://www.capesandbox.com/analysis/251944/

Comments


Avatar
zbet commented on 2022-03-17 12:52:35 UTC

url : hxxp://185.215.113.119/shzkAsk129Azxc/test1.exe