MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3925f6dc4f8d53a51bd3127557903c46048842649c717ea1d0aa779870c57e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	f3925f6dc4f8d53a51bd3127557903c46048842649c717ea1d0aa779870c57e8
SHA3-384 hash:	2254f85cf027b4bcdf2a724b622b4541baadcf30d6202a4fd50e5f70c5709b48dfc6681a636c8d2cb4659f7ce16856ea
SHA1 hash:	5743ba259d526c198dabfc4833d5083e59f266c1
MD5 hash:	a71b3aaee7b25f9c2f0060ef71c2bbef
humanhash:	magnesium-bakerloo-wolfram-yellow
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'056'768 bytes
First seen:	2023-04-11 14:03:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ccbc6e933399fed0dbcbc126444168b0 (1 x RedLineStealer)
ssdeep	3072:KtrloMMzLMg5gLmDhLZR7amNsj/VFEvcljwmuxKq0mmzD0+dBqz7MtUDPgsfoMA1:ebiZ5gykLMIjwmuumm/JA4UrgSADZ
Threatray	1 similar samples on MalwareBazaar
TLSH	T11A2537466AB23DFEF5194D3B6734C7486EADA711323341EAE50237DA8D160F0D71EA22
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	jstrosch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

254

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-04-11 14:04:12 UTC

Tags:

redline

Link:

https://app.any.run/tasks/87cf04df-1b8f-4dcf-8818-17ae14b38d11

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/381515/

Detection(s):

SecuriteInfo.com.Variant.Zusy.455970.18223.2462.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/77416/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/643568d5f17a8f86fc8c9ed1/reports/c9e6b9f9-0b86-4239-a77c-ef18d7bf80d7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/f3925f6dc4f8d53a51bd3127557903c46048842649c717ea1d0aa779870c57e8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ede85346-a7ac-4c66-98cd-80f13820e474

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1211855

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3925f6dc4f8d53a51bd3127557903c46048842649c717ea1d0aa779870c57e8/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-04-11 14:04:08 UTC

File Type:

PE (Exe)

AV detection:

17 of 37 (45.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ojf63oe7dktuun5getvk6idyrqerbbgjhdrp2q5bktxtbymk7ua._file

Verdict:

malicious

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/230411-rc9atscg72/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

RedLine

Malware Config

C2 Extraction:

135.181.173.163:4326

Unpacked files

SH256 hash:

527b7246a5474b9059c633136b28101db6bbbf68f16898b41ae561460ac83f50

MD5 hash:

aacd85055f7676bcf9896d7fabbbd829

SHA1 hash:

69531de48f8720a0080257e9b73c8560cc33bbe3

Link:

https://www.unpac.me/results/20eb8195-713f-4773-8b7f-d22180ba30a1/

SH256 hash:

f3925f6dc4f8d53a51bd3127557903c46048842649c717ea1d0aa779870c57e8

MD5 hash:

a71b3aaee7b25f9c2f0060ef71c2bbef

SHA1 hash:

5743ba259d526c198dabfc4833d5083e59f266c1

Link:

https://www.unpac.me/results/20eb8195-713f-4773-8b7f-d22180ba30a1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f3925f6dc4f8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3925f6dc4f8d53a51bd3127557903c46048842649c717ea1d0aa779870c57e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe f3925f6dc4f8d53a51bd3127557903c46048842649c717ea1d0aa779870c57e8

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/381515/

URLhaus

https://urlhaus.abuse.ch/url/2563425/

URLhaus

https://urlhaus.abuse.ch/url/2602163/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample