MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3d47cf720441db8fad6021333ef201927e070bda5e781f5c2bb2f95d2d0b137. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	e3d47cf720441db8fad6021333ef201927e070bda5e781f5c2bb2f95d2d0b137
SHA3-384 hash:	5a60cf1e416e1dc2c641184fb3e479561f9f38df1052d28e44f5125d2a2dfc7a3ce61f6ffbf8c76da67d8e3d7269bc6d
SHA1 hash:	cde01cc0134e376042afa87f0f42ba7c2de568e3
MD5 hash:	68d99ed77220391cce2716a5e8761158
humanhash:	louisiana-table-eighteen-five
File name:	68d99ed77220391cce2716a5e8761158.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	405'504 bytes
First seen:	2022-01-20 06:36:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	140966036910a5f510e2a5a7cba50e06 (14 x RedLineStealer)
ssdeep	6144:YL5LOy2Y0WzJB8T/KxnnNm9/cYRXqReo8i7wHmRL:sT2Y0W1eT/0nnNAc6rmB
Threatray	4'471 similar samples on MalwareBazaar
TLSH	T1A584E0E5B5C0D432C08FD670882ADFA019BDBC7459695A47B3B83B5EBE312D1623621F
File icon (PE):
dhash icon	fcfcb4b4b494d9c1 (74 x Amadey, 56 x Smoke Loader, 38 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.111:1355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.111:1355	https://threatfox.abuse.ch/ioc/303028/

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/220864/

Detection(s):

Win.Malware.Generic-9936948-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61e9031f0f8c757253cf72be/reports/0a5eb504-6519-4036-b343-60e1437a69bc/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5c2fb202-da65-4a12-aef2-9964f4df480b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/924014

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3d47cf720441db8fad6021333ef201927e070bda5e781f5c2bb2f95d2d0b137/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2022-01-20 09:54:05 UTC

AV detection:

25 of 40 (62.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4pkhz5zaiqo3r6wwaijth3zadet6a4f5uxtyd5ocxmxzluwqwe3q._file

Verdict:

malicious

RedLineStealer

849beb1413d9750e1bad8a3758dc87053d47fe5cba1528723414c918625e6d27

RedLineStealer

8a6b85587a7c87d3f2da53fd4570b961a8a3d606ba2f337bbe0ebe6b07c97989

RedLineStealer

8c932dce374220d274242f9ec935e8adc0ecbfbc1f3896ff941e718dc33d67a3

RedLineStealer

a2cac07f9147dff643d6a810b9370d8fc2551a692d95b378fcc7b3086c44193e

RedLineStealer

d64b097aa7ae529d88f3ea5438deb1630aa57ebf7d7135203ed322ee591997c4

RedLineStealer

+ 4'461 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220120-hdgsjagdh4/

Behaviour

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

4482c8da1743ba343cbc1ce31d4286e658040e3da37de2b72e4169fd7249e8bf

MD5 hash:

925e4096edb29345423f418baf42d91b

SHA1 hash:

f9669495412c387eeb33575ae1a3f423d8857414

Link:

https://www.unpac.me/results/0341e07a-1a0c-4182-9671-0ccf2b5e94b1/

SH256 hash:

51cd6a24d9cd54284fcbe572515477e2ceb2c370c03b41f00db072ec2b279c3b

MD5 hash:

bbd385cd69cc12b32c4acd442be19d09

SHA1 hash:

a7dacfc795e53f9a668461dc025e6f4e135bc616

Link:

https://www.unpac.me/results/0341e07a-1a0c-4182-9671-0ccf2b5e94b1/

SH256 hash:

e96610f881dfb8a82d0dd83c7af00bccecc4cfc7bafd45c68518cbc6ce129366

MD5 hash:

dde047fc59c718d5147b7c01af99de70

SHA1 hash:

1c4a6f29c614d9a55733dc63dec4e22398cc9119

Link:

https://www.unpac.me/results/0341e07a-1a0c-4182-9671-0ccf2b5e94b1/

SH256 hash:

e3d47cf720441db8fad6021333ef201927e070bda5e781f5c2bb2f95d2d0b137

MD5 hash:

68d99ed77220391cce2716a5e8761158

SHA1 hash:

cde01cc0134e376042afa87f0f42ba7c2de568e3

Link:

https://www.unpac.me/results/0341e07a-1a0c-4182-9671-0ccf2b5e94b1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3d47cf720441db8fad6021333ef201927e070bda5e781f5c2bb2f95d2d0b137

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.