MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3d69799bd80404bfa4f52077c3d3999d1ba634ed59a2376fb2801aa64935d55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments 1

SHA256 hash:	e3d69799bd80404bfa4f52077c3d3999d1ba634ed59a2376fb2801aa64935d55
SHA3-384 hash:	7f7137ce403c6015dcaba6e6db65b909478989b0447177437fe8ce2a77cf3b16fc2b3b6c67f869b8ebd2d1d53db83d51
SHA1 hash:	39ecb6f5d0aba6a158e4b1053bd29eb223253836
MD5 hash:	5565bca70f59060a08e73c5a4d44504b
humanhash:	august-alabama-helium-may
File name:	5565bca70f59060a08e73c5a4d44504b
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	396'288 bytes
First seen:	2022-06-21 21:08:19 UTC
Last seen:	2022-06-21 21:32:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dbe7c866442b2c90ddc4d147097c4eb3 (4 x RedLineStealer, 1 x Amadey, 1 x SystemBC)
ssdeep	6144:mXnreduD0H/2bq//ndSi8Kr3OArCBT1yMwmH80v6Jlj4O27iU/yAs:mXnqdDf2bqXdSi3ZYT1vJxvYl7279Fs
Threatray	4'139 similar samples on MalwareBazaar
TLSH	T1CF84CE00BA90C439F5F711F449BA9268B63E7DA14B3460CF52E56AEE5638AE4EC31317
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	8c72f0b4364a6230 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/282113/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.26686.17907.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/22222/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62b2338e1e58e55866010383/reports/7f9952d1-4708-4d47-87a9-ff96794757f3/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/94d45fea-d582-45ba-9f26-175ac8b4b977

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1017505

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3d69799bd80404bfa4f52077c3d3999d1ba634ed59a2376fb2801aa64935d55/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-06-21 20:52:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4pljpgn5qbaex6spkidxypjzthi3uy2o2wncg5x3faa2uzetlvkq._file

Verdict:

malicious

RedLineStealer

4a1096ff69db88fd83c9ad89c8d0af3dfaa1ee8a9f5c6e5a5e02647739534e94

RedLineStealer

5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9

RedLineStealer

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01

RedLineStealer

b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0

RedLineStealer

d34f1d23b7dab0b50f29b8647720aaac21c3c43cd3deb478e55b2b46a9872334

RedLineStealer

e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061

RedLineStealer

+ 4'129 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzki discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220621-zzfk2addej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.246:23196

Unpacked files

SH256 hash:

8c376fb67ff85ac0aafbaadad95e7a161ba36cd484059ca9622fd9695c00d971

MD5 hash:

ef4c2367e04b2959d3cd27c8833cde1e

SHA1 hash:

f2f224cd3550b96fa7eee9d0b0bcfcea2696f072

Link:

https://www.unpac.me/results/a6b9c68f-1f24-4f83-b955-7d9b6823fd59/

SH256 hash:

b418c1d77eeb45056cf35dd394541c38eee82e9662b8390c219fba5588d85e81

MD5 hash:

0778be1b895b1cca49b386c181b48e06

SHA1 hash:

ad66ac3a42ae4c12fd66b1451958db31e447dbd7

Link:

https://www.unpac.me/results/a6b9c68f-1f24-4f83-b955-7d9b6823fd59/

SH256 hash:

ce4669e3d3bf2adc298da2f4f1c562e44dfca0a243f8f73b636cb7167d88e17e

MD5 hash:

2edd941ca2b3076f8d1fb521c8579999

SHA1 hash:

86756daf15e2b0c10246c5d81f6c7e9e58c63ebf

Link:

https://www.unpac.me/results/a6b9c68f-1f24-4f83-b955-7d9b6823fd59/

SH256 hash:

e3d69799bd80404bfa4f52077c3d3999d1ba634ed59a2376fb2801aa64935d55

MD5 hash:

5565bca70f59060a08e73c5a4d44504b

SHA1 hash:

39ecb6f5d0aba6a158e4b1053bd29eb223253836

Link:

https://www.unpac.me/results/a6b9c68f-1f24-4f83-b955-7d9b6823fd59/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e3d69799bd80/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3d69799bd80404bfa4f52077c3d3999d1ba634ed59a2376fb2801aa64935d55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.