MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a
SHA3-384 hash: 34131e77d3dc6745f3320fc6cb449c7dad009fbfa17af2c26656960f3f2b50ac9984ba22f1bec7e04c40c6a6d7aafff1
SHA1 hash: 72ef0dff9731ff86dd3493a9b749ad57ba22d966
MD5 hash: 88d394e1f27c6e2512a00544f53889ec
humanhash: west-washington-pizza-foxtrot
File name:pureland.7z
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:439'602 bytes
First seen:2023-03-04 16:45:10 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
Note:This file is a password protected archive. The password is: pureland
ssdeep 12288:Z77QgOn0IpbnynlQujHGkSyVjEQbHaoBd/HsA:Z60IKlQDlyVbraoBhHv
TLSH T102942370960870CFE2892E37ECC5C5C98D9EFAFA51A0B65842459C24A41FF5A73A7D33
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter iamdeadlyz
Tags:167-235-233-35 7z exe file-pumped PureLand pw pureland RedLineStealer


Avatar
Iamdeadlyz
From thepureland.io (impersonation of Rune Teller - https://store.steampowered.com/app/1944360/Rune_Teller/)
Related incident: https://www.coindesk.com/business/2023/03/02/blockchain-game-the-sandbox-warns-of-phishing-email-after-security-breach/
RedLineStealer C&C: 167.235.233.35:16621

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:pureland.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:734'667'728 bytes
SHA256 hash: 7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23
MD5 hash: 68640753e6d7039bc457b03a5b57fd39
De-pumped file size:655'872 bytes (Vs. original size of 734'667'728 bytes)
De-pumped SHA256 hash: f4ae47d0f97a500401a1e5a068dbab57dfbd9cdf0ffebae6e730e5cc3226fc2e
De-pumped MD5 hash: f98df82f0afc60f34816d35c9dd75245
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a
Result
Verdict:
UNKNOWN
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ksvyr7vadx2joy3ifehz5isyofq65by5wkvmvwm5ni2fqi4fvva._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:5hr infostealer
Link:
https://tria.ge/reports/230304-zq16daec2v/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
RedLine
Malware Config
C2 Extraction:
167.235.233.35:16621
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

7z f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a

(this sample)

7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23

  
Dropping
SHA256 7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23
  
Dropping
SHA256 f4ae47d0f97a500401a1e5a068dbab57dfbd9cdf0ffebae6e730e5cc3226fc2e
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2558092/
  
X
https://twitter.com/Iamdeadlyz/status/1633253641556746240

Comments