MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d34c45ded7e5c8678139a34808e268195846a8d429d9dd3c7ce068832c3d7ead. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	d34c45ded7e5c8678139a34808e268195846a8d429d9dd3c7ce068832c3d7ead
SHA3-384 hash:	3676c59c5b92da70385f6944fc776e430851da6a8f7dd3c7eb553ac5d96eaa34c866700f11898e6e515f74a0774cbc36
SHA1 hash:	23bda65c10f9fe1f56113463d7df682bd883860f
MD5 hash:	43974f8751cc6f086f1f41e3499cc759
humanhash:	network-six-kitten-quebec
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'546'680 bytes
First seen:	2022-10-10 14:10:35 UTC
Last seen:	2022-10-11 13:30:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d8761a1f54b24cb5e90225a4de0f3bda (1 x RedLineStealer, 1 x SystemBC)
ssdeep	24576:ThveHsMVpUIXi/9lqxvV9EJRJHIS2dzAlLKzWfT9J7CZJTWcYT:ThveMitykVuJvIpdzOLnmrWc
TLSH	T1C865027CD2EDA096CDD6113CA3416B332945F060EBC659EB1610232AD95CF83A6F2BDD
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	008ab2bebebec4c0 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	bbs.com
Issuer:	Amazon
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-11-22T00:00:00Z
Valid to:	2022-12-21T23:59:59Z
Serial number:	0269ea9964cca3446c6099818bac9f57
Thumbprint Algorithm:	SHA256
Thumbprint:	692712111554932d6ef24f920ff0ed1e348bc111f34a558fe2b222b040e3eeb4
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc638734270_651367451?hash=r7iHI3ey3YE6domzJbMmnd07nkbmq8Kp37Afw0ghsfw&dl=GYZTQNZTGQZDOMA:1665410743:LT11X838kfNfsKoXoyngJgJZqq16eopppROqEnzHMvz&api=1&no_preview=1#soft

Intelligence

File Origin

# of uploads :

566

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-10-11 06:05:38 UTC

Tags:

evasion opendir trojan socelars stealer loader raccoon recordbreaker rat redline

Link:

https://app.any.run/tasks/fa040c49-9858-4be5-a1c6-93b42e90d342

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/318463/

Detection(s):

SecuriteInfo.com.Variant.Jaik.99745.25135.4885.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Creating a file in the system32 subdirectories

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/634427f76b55cf740b899bdf/reports/5f79ad08-cf31-4ecc-8082-bcc17f4d7977/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1588cd0f-3161-488e-99b1-22f10945d69d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1087233

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d34c45ded7e5c8678139a34808e268195846a8d429d9dd3c7ce068832c3d7ead/

Threat name:

Win32.Infostealer.RedLine

Status:

Malicious

First seen:

2022-10-10 14:11:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ngelxwx4xegpajzunearytidfmenkgufhm52pd44buiglb5p2wq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:101022_2 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/221010-rg9r6acag6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

root.firstmillion.click:81

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7823e950-0f71-48ea-ba80-748da08b4887

Unpacked files

SH256 hash:

e87fa3b613ef46e51adf0fb31ef11ea9ecabd4624ad103fbffac8b2b782578a3

MD5 hash:

dfa2f229bf6aa21612fc4ad6647dbd0e

SHA1 hash:

5ba65631704522c1d99b3d64e2e8e2c6f55189da

Detections:

redline

Link:

https://www.unpac.me/results/f48f96ef-a287-41cd-93fc-8639fda3afb6/

SH256 hash:

ce1e71e7dc80260dfa521cd551bd86cdf8e97ce50bf7f7d49b792590aaf07d63

MD5 hash:

7e4d216c3593b6fac09c136a556f6981

SHA1 hash:

5d979710cb1b969938a57a9ccc57de0df3a84609

Link:

https://www.unpac.me/results/f48f96ef-a287-41cd-93fc-8639fda3afb6/

SH256 hash:

d34c45ded7e5c8678139a34808e268195846a8d429d9dd3c7ce068832c3d7ead

MD5 hash:

43974f8751cc6f086f1f41e3499cc759

SHA1 hash:

23bda65c10f9fe1f56113463d7df682bd883860f

Link:

https://www.unpac.me/results/f48f96ef-a287-41cd-93fc-8639fda3afb6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d34c45ded7e5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d34c45ded7e5c8678139a34808e268195846a8d429d9dd3c7ce068832c3d7ead

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/318463/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample