MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3119e0ff31316bdc580183591b2c5555667e2af422968916d89def1c0559360. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3119e0ff31316bdc580183591b2c5555667e2af422968916d89def1c0559360
SHA3-384 hash: 0dd41701cf3ee1756ef02919fc4578c271f0a7b5a04a6729b8c0d84e40935f66593b15c4de74161b05b02e60987526b1
SHA1 hash: b00931e43d6e77709c6b7360f4dff04e9b122740
MD5 hash: 1ed567b08f191237ad993ac79cc1b35c
humanhash: cola-tennessee-video-pasta
File name:Order details & Pictures.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:737'280 bytes
First seen:2023-07-31 03:40:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0GSlqPYuCNNXE1oA93bo+VOke4jgS/xVib:AoPYuyXDURreixk
Threatray 180 similar samples on MalwareBazaar
TLSH T1C0F4757804BB4E62C221D2BE6AC5F52FF6425CB6611C8D5B529A6F870D03D732C9EC2D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f2ceaeaeb2968eaa (68 x RedLineStealer, 21 x AgentTesla, 18 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.95.168.240:55615

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Order details & Pictures.exe
Verdict:
Malicious activity
Analysis date:
2023-07-31 03:42:08 UTC
Tags:
rat redline stealer trojan
Link:
https://app.any.run/tasks/005ebc96-50c6-49a8-b0dc-26aaba7223a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439247/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.8077.23290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64c72d4f1b48787a4970a45c/reports/dd0bd5bc-db92-463e-9ef7-d4017ade6556/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e3119e0ff31316bdc580183591b2c5555667e2af422968916d89def1c0559360
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e60738d-58ca-4ea9-bcea-7ec4b7c17990
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1282859
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1282859 Sample: Order_details_&_Pictures.exe Startdate: 31/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->55 57 7 other signatures 2->57 7 Order_details_&_Pictures.exe 7 2->7         started        11 zZspSJwAF.exe 5 2->11         started        process3 file4 39 C:\Users\user\AppData\Roaming\zZspSJwAF.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpEDA0.tmp, XML 7->41 dropped 43 C:\Users\...\Order_details_&_Pictures.exe.log, ASCII 7->43 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Writes to foreign memory regions 7->61 63 Allocates memory in foreign processes 7->63 67 2 other signatures 7->67 13 RegSvcs.exe 7->13         started        16 RegSvcs.exe 15 28 7->16         started        19 powershell.exe 21 7->19         started        25 2 other processes 7->25 65 Multi AV Scanner detection for dropped file 11->65 21 RegSvcs.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->69 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->71 45 45.95.168.240, 49696, 49698, 49699 GIGANET-HUGigaNetInternetServiceProviderCoHU Croatia (LOCAL Name: Hrvatska) 16->45 47 api.ip.sb 16->47 27 conhost.exe 16->27         started        29 conhost.exe 19->29         started        49 api.ip.sb 21->49 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 75 Tries to steal Crypto Currency Wallets 21->75 31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3119e0ff31316bdc580183591b2c5555667e2af422968916d89def1c0559360/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4miz4d7tcmll3rmada2zdmwfkvlgpyvpiiuwrelnrhppdqcvsnqa._file
Verdict:
malicious
Similar samples:
0c1b251249518e1b58f3dc0cc771bf74bbadcb46c6175f45f1a0fe4d7740ca95
RedLineStealer
0f249132a60bf6e772fc500ac0fe11a564feae9e738f29c40424f88ff5ba623f
RedLineStealer
178dfba1bc6c689b9f3170003e559431a5244f43b8b0639d37ed77446bd9ebca
RedLineStealer
38e497ba967a7027611f38d868b02f7c00405cc0cde0500ee32a61103dddd4f4
RedLineStealer
3ddab0e4f018293bc930fb5a635c471074af3cce36801955d938d3eae8a5c737
RedLineStealer
e861fe12d7b0d6d722015418a078caa0684fc3a57da6cb52f2925b42c7719fca
RedLineStealer
ec7d100b0dadc5c38ecb39309a02e826bd167ad25a28f4cf8b0d8c52aeca7018
RedLineStealer
ee858a17d787e31279091138c83eea1ab9c48d04cd7ab79caf5a6f3e4d5f7ace
RedLineStealer
f86fe4dc355d0d5e7e95a13271222177de883d2c69ecd80fc19a315e0a2b1723
RedLineStealer
fe612af3d7883a25ca19eca8440e32741aa66e69c80a7275a13bdd91023399c6
RedLineStealer
+ 170 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat infostealer rat spyware trojan
Link:
https://tria.ge/reports/230731-d8rtrsdd41/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
45.95.168.240:55615
Unpacked files
SH256 hash:
bc9f30b9cab3da1ffb2a21cc03bb19a154232d9eade2e0b407f3c87c2c5d3abb
MD5 hash:
e59b0ff8113d6881fbfe8c64e49fe5c9
SHA1 hash:
f71d1b4cb6e0e5405f1032165a2dbc30b1d96681
Link:
https://www.unpac.me/results/549a60bf-d6a0-4ae2-9a1d-d5c12c95b2f6/
SH256 hash:
4e372254cd955bee1419234d6c6a50bf00245618fdfa5ad2df0f71fc2afa81bb
MD5 hash:
0dee3d102f2e0a3548c5c2817c5842ab
SHA1 hash:
b97ff61ce0560eb0288791ea6e1ac50950852e31
Link:
https://www.unpac.me/results/549a60bf-d6a0-4ae2-9a1d-d5c12c95b2f6/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/549a60bf-d6a0-4ae2-9a1d-d5c12c95b2f6/
SH256 hash:
0b21c2aa6d9b8f807ff7171103c0d3311a852223f66c22c0223d2044dfcd8e60
MD5 hash:
d80ad864ea9b71a6f27a19209a17b26a
SHA1 hash:
33b7929963dba2dd3800a6e5ab8c530cb9cbd3ba
Link:
https://www.unpac.me/results/549a60bf-d6a0-4ae2-9a1d-d5c12c95b2f6/
SH256 hash:
e3119e0ff31316bdc580183591b2c5555667e2af422968916d89def1c0559360
MD5 hash:
1ed567b08f191237ad993ac79cc1b35c
SHA1 hash:
b00931e43d6e77709c6b7360f4dff04e9b122740
Link:
https://www.unpac.me/results/549a60bf-d6a0-4ae2-9a1d-d5c12c95b2f6/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3119e0ff313/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3119e0ff31316bdc580183591b2c5555667e2af422968916d89def1c0559360

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/439247/

Comments