MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc104af3263fc87bbfb9002f805de324e608ed2a8ba8d127365e09d3d3bdbf99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	dc104af3263fc87bbfb9002f805de324e608ed2a8ba8d127365e09d3d3bdbf99
SHA3-384 hash:	ff31ad600f5da614c2fe17fa9454c3573e453ca389f470c0c0ce54f7abb61d779ad0561d6c8da743cf49f8904c335e13
SHA1 hash:	d847e157c186765ba54d856a3feee9af9fb5ca6b
MD5 hash:	7048e3a317565c358dcbf27b24abaa39
humanhash:	three-diet-yankee-wyoming
File name:	7048e3a317565c358dcbf27b24abaa39.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'186'816 bytes
First seen:	2023-03-06 00:50:23 UTC
Last seen:	2023-03-06 02:29:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:PfYsg64i1TqRNfRpoxg/+ANtg6xXLCqmANmlHj:PfP/tqrRsg/+qtgPAQF
Threatray	33 similar samples on MalwareBazaar
TLSH	T10F45ADC637BDE522F4D7A032461521C93A35B58B7212F13BAB37BB518601BFF7A89580
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	3044b271f0e8e0ba (14 x SnakeKeylogger, 13 x AgentTesla, 4 x Formbook)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.8.146.108:19179

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

Invoice.zip

Verdict:

Malicious activity

Analysis date:

2023-03-02 16:51:59 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/df8f2a98-12a9-4277-8175-7b43333f583a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/371755/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65736758.27167.30651.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/640538f566e79c93ba0e0d68/reports/f6cc9caf-fc06-4eb4-9814-e71343cdf6c5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/dc104af3263fc87bbfb9002f805de324e608ed2a8ba8d127365e09d3d3bdbf99

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/63bb642c-8727-43e2-9d82-2db1f0cb98e3

Result

Threat name:

RedLine, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1187471

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc104af3263fc87bbfb9002f805de324e608ed2a8ba8d127365e09d3d3bdbf99/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2023-03-01 23:14:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 39 (53.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3qiev4zgh7ehxp5zaaxyaxpdettar3jkrouncjzwlye5hu55x6mq._file

Verdict:

malicious

RedLineStealer

34ee1f687542eedbad8004e9f6861d4842497c08d5374bf6ea50a8af633ebc22

RedLineStealer

36075d007622f34891717891ecee08fe809a9521a21bd26cffdcf2f6c88ae707

RedLineStealer

42158ff6c72753c9d9cef04c823c649225208b13a9509b732234b7fd29cc0629

RedLineStealer

79477d248daad8ef7e2470ec40e066f55e945d343b8bfe778359646b34182d91

RedLineStealer

9e88ee1c8b512d8a3091e3e1bd4e90bed4394129f0318b2d7c056af648ec98fb

RedLineStealer

b2529986a8973dcb1028129512298ae4deffdc5a1e2ac225aa7f54fc44f6830a

RedLineStealer

b97359d81ff705942e503b8a9636d0260a6de0d6c7d00fe6a104e6413eebf5b6

RedLineStealer

c551529018bda5ce4f1f7c2fbbebad88a1544151676521feb0bb5fcacc4a48be

RedLineStealer

ea46cc06d4376c90836299719c0fb4bdc65e8edfc9fa367d0daa3e7cd3e63e77

RedLineStealer

+ 23 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:explorer discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230306-a7gqmahe2s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

45.8.146.108:19179

Unpacked files

SH256 hash:

f9f6b438aee0b9fcc92441b364b9c8c4d02c36039be9d9898ab52f0ae3ecb635

MD5 hash:

0493555101515bdee91ccf9e263c357b

SHA1 hash:

559b1254b1701605bf0b7f7b8394c3cab8a275e2

Link:

https://www.unpac.me/results/a3c16dfd-593c-44f1-a6de-a39724f1427e/

SH256 hash:

d8ec03c34a5f3bd93effeafc2e078ade5df75d468dae5208937c69be4fecfe7f

MD5 hash:

cd4b7952d18e1459bae379e5da7f6afb

SHA1 hash:

e09367a20c19427dae20b53cbe761d1b21272c36

Link:

https://www.unpac.me/results/a3c16dfd-593c-44f1-a6de-a39724f1427e/

SH256 hash:

4b285c20ab0272c7b0cc6ba731951a0e82a9453bf4081f895bb6c7ec58c02c1b

MD5 hash:

dee6be8e9ccf642e017ababa2be45c28

SHA1 hash:

d6e427b2f8a49e55248e8f94ee2cab88d00b6a05

Link:

https://www.unpac.me/results/a3c16dfd-593c-44f1-a6de-a39724f1427e/

SH256 hash:

2040a5c0011fac39fcc7e77118f758fe57eeef24fdca5ee4cd2e664055846982

MD5 hash:

3e2e1248362fe5e74a7c4239c51321bc

SHA1 hash:

9113c8b85c898820aa550b70fa7da94bf0116517

Link:

https://www.unpac.me/results/a3c16dfd-593c-44f1-a6de-a39724f1427e/

SH256 hash:

5374e38c9fcddf45f8481f616e813666c70c68553c8e26da960925449c06b9c5

MD5 hash:

ed50304fedcccb67563e67161fbf54fe

SHA1 hash:

554853d90c50f30a9c66239afe34580a18319fd8

Link:

https://www.unpac.me/results/a3c16dfd-593c-44f1-a6de-a39724f1427e/

SH256 hash:

28ae7b6e1bd0b51af0becacb5628945bf1fc19188bcceee760634e1f7f3935ec

MD5 hash:

8b0a23ef605a95845e108ced4fd6e18e

SHA1 hash:

39329f5177d1a0af11f649f0430e5df3f0aa8269

Link:

https://www.unpac.me/results/a3c16dfd-593c-44f1-a6de-a39724f1427e/

SH256 hash:

dc104af3263fc87bbfb9002f805de324e608ed2a8ba8d127365e09d3d3bdbf99

MD5 hash:

7048e3a317565c358dcbf27b24abaa39

SHA1 hash:

d847e157c186765ba54d856a3feee9af9fb5ca6b

Link:

https://www.unpac.me/results/a3c16dfd-593c-44f1-a6de-a39724f1427e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/dc104af3263fc87bbfb9002f805de324e608ed2a8ba8d127365e09d3d3bdbf99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/371755/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample