MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments 1

SHA256 hash:	f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404
SHA3-384 hash:	53c2057fa2619f56214328e596aa8f3496b4d434e36a6bc9eb9e6302b524059b52198eb36bf22da8fd40fe0a091c97e7
SHA1 hash:	c0fe7ee5986cc0bf8ea29e34eb051057fa648513
MD5 hash:	3d6110a0f3f8ae7db70afe657b2e9369
humanhash:	glucose-violet-zebra-ack
File name:	3d6110a0f3f8ae7db70afe657b2e9369
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	343'040 bytes
First seen:	2023-08-12 09:17:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	57c957ecde7ffcaeaa065ed04df47092 (8 x RedLineStealer, 1 x TeamBot, 1 x Rhadamanthys)
ssdeep	6144:30k9fLAsE9P8fdlTNfNBAczj0BW/PSZ3+/bxkv:3lNRE9wT1DAccE/sOTW
Threatray	558 similar samples on MalwareBazaar
TLSH	T1D874F13136D2C471C68B11B94425DBA05ABF7831637DC69B37990BBE5E723C18BA730A
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0819181040808000 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

3d6110a0f3f8ae7db70afe657b2e9369

Verdict:

Malicious activity

Analysis date:

2023-08-12 09:17:45 UTC

Tags:

redline

Link:

https://app.any.run/tasks/792e658e-fb7f-4b3d-8b96-38883747c33b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/442347/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/102660/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c018b89a-30da-4a7f-9be5-107e5a6cbd85

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1290452

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-08-12 09:18:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6nry5jn452qrzbsmqkj67mynmwufguzjjclwxs66ofgftu6zwqca._file

Verdict:

malicious

RedLineStealer

41e1a2453123d4bdfb252ecb699cc1624b43de4edbe6cf81b5359357ba85c024

RedLineStealer

4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209

RedLineStealer

87c9b723dac804469ebc6e59f5a3d9b141dd02fe2315a417e51490325b0a54a0

RedLineStealer

bea60a6d436d1d750f83f0df89dce0367822b76b3c67acfd95ff038870930789

RedLineStealer

d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33

RedLineStealer

d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713

RedLineStealer

e3dc9fb2eb85704dfcf401f7fd838fd2149667fa2573c608aa933ed85036faf4

RedLineStealer

f0870b8834cd0a9819ed4d88b0dbb6f387e7a9db65c1a9c01a6994b738190787

RedLineStealer

f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8601e619b670c78673bb

RedLineStealer

+ 548 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer

Link:

https://tria.ge/reports/230812-k9lgpsda9v/

Behaviour

RedLine

Malware Config

C2 Extraction:

209.250.242.222:27532

Unpacked files

SH256 hash:

92499ca80679872ad84030af76f546e8b0363c3f8b2be60d6684fda828fd0abb

MD5 hash:

a24696f7ae363735a9729062992fd5f0

SHA1 hash:

d9560032203ef35aa9bb6e3435d349314dcf24d2

Link:

https://www.unpac.me/results/e61de1fc-8b80-45dd-8e8b-3c05e8b32672/

SH256 hash:

cf3144f0662f292e7fdb64ff5ecd3feba44074dccc8ade6b06d07cda7db3a75d

MD5 hash:

5b3e517caba49231bac955de65fe3f28

SHA1 hash:

bfa4267104d1c896b5bdfe74d6a20d227c3f0661

Detections:

redline

Link:

https://www.unpac.me/results/e61de1fc-8b80-45dd-8e8b-3c05e8b32672/

Parent samples :

d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33
f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404

SH256 hash:

18aae0324a0f204814fa06f313755162f0cee841c407cb242610c17a1b782ffb

MD5 hash:

7446efe258da00622a5bf7f7b8a9a88f

SHA1 hash:

b6def6395d3a23c790d919264b795183b0581072

Detections:

redline

Link:

https://www.unpac.me/results/e61de1fc-8b80-45dd-8e8b-3c05e8b32672/

Parent samples :

d432320a7de0a91212d72b08be48ba8731a00b336d2777377e5632bd17ee4a33
f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404

SH256 hash:

de0775600ed3f00d727db0f630036ce1db4063cb1db28771462e2e6b80c532db

MD5 hash:

af9634e7674ec78c37ded0378b1d24dd

SHA1 hash:

5257325ea7f3818313200826f22f28c526ee8d26

Link:

https://www.unpac.me/results/e61de1fc-8b80-45dd-8e8b-3c05e8b32672/

SH256 hash:

f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404

MD5 hash:

3d6110a0f3f8ae7db70afe657b2e9369

SHA1 hash:

c0fe7ee5986cc0bf8ea29e34eb051057fa648513

Link:

https://www.unpac.me/results/e61de1fc-8b80-45dd-8e8b-3c05e8b32672/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f3638ea5bcee/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3638ea5bceea11c864c8293efb30d65a853532948976bcbde714c59d3d9b404

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/