MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3ae7d435271c21acc43898d86fc3e36a76c0af50f466ea9fd239b2ebd0cca7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3ae7d435271c21acc43898d86fc3e36a76c0af50f466ea9fd239b2ebd0cca7a
SHA3-384 hash: 8aacfef26e70a4a904a07dfd2bce3bff0fc47dd449e3988133f4e8f6c9b7cbe16d0ec43bcfcb5fcc424b4c3bfcc04c98
SHA1 hash: ec6382212350259caef118c5f8903fb3fce8dae4
MD5 hash: 83dddcc26632bc370f7880cc8d5471cd
humanhash: mexico-wolfram-robert-jig
File name:83dddcc26632bc370f7880cc8d5471cd
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'156'480 bytes
First seen:2021-11-25 01:00:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ec16af2470834134be4cf95ebbc6ba3 (1 x RedLineStealer)
ssdeep 24576:LyqkjWwH6he8fU4Ug42IDR/0GyfBRF78VPZM7EoeD/FlE:LyqkjWwH6he8fU4h43R/01R+ZCEoE/I
Threatray 271 similar samples on MalwareBazaar
TLSH T1DD3512467F86C90BC25827359AC3F3742374FA817F454F8B2290DE9EBC65724F686298
File icon (PE):PE icon
dhash icon 79f8f8f8b89c7030 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
83dddcc26632bc370f7880cc8d5471cd
Verdict:
Malicious activity
Analysis date:
2021-11-25 01:02:10 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a8a30b00-3178-4d20-a927-4dd56269e50e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Malware.Zusy-9908145-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed zusy
Link:
https://www.filescan.io/uploads/619ee052b71ceed4152f405b/reports/73f15f26-ea78-44a8-813c-728324d7024b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab2014cb-5212-46d1-8de6-f04585345359
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/895834
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3ae7d435271c21acc43898d86fc3e36a76c0af50f466ea9fd239b2ebd0cca7a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-24 13:09:43 UTC
File Type:
PE (Exe)
Extracted files:
132
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4oxh2q2sohbbvtcdrggyn7b6g2twycxvb5dg5kp5eons5pimzj5a._file
Verdict:
malicious
Similar samples:
2ff939fa1141fe14c16694123b0b13bce396678fe523c3cd9aa2ebec365b85e6
RedLineStealer
3251aadd8eaff5a07bc0d59b09902d15d962cb83d8dd6ab9ab3fc5edd550ed22
RedLineStealer
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
RedLineStealer
4923c5d5889e2de152f7c144d7bcee89259cd97edc644fefa05142f91ed30740
RedLineStealer
5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8
RedLineStealer
614bf39ca1cac00b07029179db856cbafbb2842a734a328faa7935ae59fbaed6
RedLineStealer
9b46902389ae0b114cc77f95c08f85defbc6a14824f39f218810c28d8906e69b
RedLineStealer
c8c685962497719668e4755f90ec88274dc6091379b6c6c8bebff3ad3c089672
RedLineStealer
f45b77752adc9550eab992a9d2577afce77e449cbf5096c78d13b2dfb8b876db
RedLineStealer
fb8a45429132e54b0476b2ccff05cd4fef2913dbfe6536902e4011e1b906c7f0
RedLineStealer
+ 261 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211125-bc823ahcd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
73e9d9a7f6463643cb3948778d680b51f65f2c9f63b26d34d18ae4c1e3813af0
MD5 hash:
2a9a8f74b87e6f169070de4535b8f7e9
SHA1 hash:
a21015c3a52d120ab1a7e20f8fe3fd3db5a3e36e
Link:
https://www.unpac.me/results/041ce5ce-2f7f-422b-b273-d14bd56b84e1/
SH256 hash:
e3ae7d435271c21acc43898d86fc3e36a76c0af50f466ea9fd239b2ebd0cca7a
MD5 hash:
83dddcc26632bc370f7880cc8d5471cd
SHA1 hash:
ec6382212350259caef118c5f8903fb3fce8dae4
Link:
https://www.unpac.me/results/041ce5ce-2f7f-422b-b273-d14bd56b84e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3ae7d435271c21acc43898d86fc3e36a76c0af50f466ea9fd239b2ebd0cca7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e3ae7d435271c21acc43898d86fc3e36a76c0af50f466ea9fd239b2ebd0cca7a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1814621/
Cape
Cape
https://www.capesandbox.com/analysis/209216/

Comments


Avatar
zbet commented on 2021-11-25 01:00:50 UTC

url : hxxp://host-coin-data-1.com/files/6109_1637756876_6394.exe