MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3f96fc3cf46fe0da278b83189278e7cc1cf95a302cd4ee40adcb66f54fe8f76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	e3f96fc3cf46fe0da278b83189278e7cc1cf95a302cd4ee40adcb66f54fe8f76
SHA3-384 hash:	086ad1279220e133153c81d7780fbda9cf4c5d4f7dee82b6d04ccf2a8ccafb02484c5f50d334051ae70d89e8f132ef70
SHA1 hash:	1e2ac3d589c858a90a6e89485746c24d268a8cb1
MD5 hash:	17789608bc53b3f2fe0f0d061d34f907
humanhash:	social-avocado-high-helium
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	720'896 bytes
First seen:	2022-11-03 22:42:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	477e2430363d2ab708b40c9d1fa2e711 (3 x RedLineStealer)
ssdeep	12288:Ei6jQdpTaPXEg+D+EGxbmNfWWhEi5ZHk71ferCYvKDNxNudwfnq/Krtr0PZYzTtr:Ei6jQrTaPXEg+PlEiXQ1fe+DrSKrF0Pl
Threatray	943 similar samples on MalwareBazaar
TLSH	T1BCE49E1239C28432D63634350B69EE70DBAEE4310B3246EF97D8167E5F61BE19E3152B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	jstrosch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-03 22:49:14 UTC

Tags:

redline

Link:

https://app.any.run/tasks/0db244fa-8f56-4988-97c2-ce829ff7a633

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/328230/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Sending a custom TCP request

Creating a window

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/48220/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/636443fc15611f8d8bf8af70/reports/401bdea3-b5cb-4452-a597-670bc6d7577c/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/41656a74-ff4b-4bf6-8934-04dcc83d748a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1105018

Signature

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3f96fc3cf46fe0da278b83189278e7cc1cf95a302cd4ee40adcb66f54fe8f76/

Threat name:

Win32.Infostealer.RedLine

Status:

Malicious

First seen:

2022-11-03 22:43:16 UTC

File Type:

PE (Exe)

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4p4w7q6pi37a3ityxayysj4opta47fndalgu5zak3s3g6vh6r53a._file

Verdict:

malicious

RedLineStealer

32b56b40f161ae8174b790aabcf240593d33b0b5d9003949e00dec168f06c8ab

RedLineStealer

5ec3a8d538cf38f9be9ba8419dee05bf711b70baf155ae6d6728ab15444fd24c

RedLineStealer

86884ae87364ee05f02bf541096e42e8fed5898f53e774131160eff8a97c385f

RedLineStealer

8c8774aa92f0237e9a8ffbaa0a88a8650c0bc4b465f0296c94e14f58ac97fc7f

RedLineStealer

c27254ac5402b0c1d36c14c9479df974172b721a8321fdbd08cc7909e905b6a4

RedLineStealer

de53e9a94cf357293dc9fe81b8ddb4d2e42208db9ef231e9a8ba15987ebc79d2

RedLineStealer

+ 933 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:google2 infostealer

Link:

https://tria.ge/reports/221103-2m9z8agcc9/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

167.235.71.14:20469

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c9738078-7dc7-45d9-89c8-af42a33644d2

Unpacked files

SH256 hash:

e3f96fc3cf46fe0da278b83189278e7cc1cf95a302cd4ee40adcb66f54fe8f76

MD5 hash:

17789608bc53b3f2fe0f0d061d34f907

SHA1 hash:

1e2ac3d589c858a90a6e89485746c24d268a8cb1

Link:

https://www.unpac.me/results/5e019c1f-30a4-4973-94da-2b39276b1bf2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3f96fc3cf46fe0da278b83189278e7cc1cf95a302cd4ee40adcb66f54fe8f76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe e3f96fc3cf46fe0da278b83189278e7cc1cf95a302cd4ee40adcb66f54fe8f76

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/328230/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample