MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169
SHA3-384 hash: a48ccf5d290c44cc3bb440b8ebf2f5e2dfce5a95f63d648d681593a081fa2075c27fb462c6945d41c5bbbf807927ddca
SHA1 hash: 2766c35c6959da709609f64a3dc1a0154ec2ef5e
MD5 hash: ae6fe2df78169ded8716bb674c717f63
humanhash: earth-three-gee-stairway
File name:MAGICD_1.exe.vir
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:13'433'856 bytes
First seen:2022-06-18 12:03:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 393216:Hkp1KhW9c5hlERV5RFJzFcguYtN3ZW7FNBQxLd:H81XEhkVhZtN3+FNBu
Threatray 340 similar samples on MalwareBazaar
TLSH T145D63311B7A04D6AE1BE133AF4B59434D232FC46A355F30B1FA924A92D633C99D913B3
TrID 54.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
20.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.8% (.EXE) InstallShield setup (43053/19/16)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 44c4b2b2ecee36ca (1 x RedLineStealer)
Reporter KdssSupport
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
MAGICD~1.EXE
Verdict:
Malicious activity
Analysis date:
2022-06-18 10:53:34 UTC
Tags:
installer trojan rat redline evasion phishing stealer quasar
Link:
https://app.any.run/tasks/34ec8f7f-fadc-4f57-950a-f16abd9ed503

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Ursu-9794593-0
Create hunting rule

Win.Packed.Generic-9873203-0
Create hunting rule

Win.Malware.Bulz-9880537-0
Create hunting rule

Win.Packed.Bulz-9883367-0
Create hunting rule

Win.Packed.Generickdz-9885340-0
Create hunting rule

Win.Packed.Bulz-9891195-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.NWorm.UNOFFICIAL
Create hunting rule

Win.Trojan.Razy-6794929-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a window
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Defender launch
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint greyware greyware hacktool netsh.exe packed stealer
Link:
https://www.filescan.io/uploads/62adbf1bb7a5f5720e28f395/reports/5e048345-42a5-4c63-9852-4ec3b2498e57/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c841c2ad-8197-4773-b7aa-dc57e328a1be
Result
Threat name:
RedLine, Vermin Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015651
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to hide user accounts
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Vermin Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 648145 Sample: MAGICD_1.exe.vir Startdate: 18/06/2022 Architecture: WINDOWS Score: 100 76 us-east-1.route-1.000webhost.awex.io 2->76 78 siyatermi.duckdns.org 2->78 80 payloads-poison.000webhostapp.com 2->80 94 Snort IDS alert for network traffic 2->94 96 Multi AV Scanner detection for domain / URL 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 17 other signatures 2->100 10 MAGICD_1.exe.exe 7 2->10         started        13 Start Process.exe 2->13         started        15 Start Process.exe 2->15         started        17 Start Process.exe 2->17         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\Start Process.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\...\Software Check.exe, PE32 10->70 dropped 72 C:\Users\user\...\MAGICD_1.exe.exe.log, ASCII 10->72 dropped 74 C:\Users\user\AppData\...\MagicDorks.exe, PE32+ 10->74 dropped 19 Start Process.exe 17 5 10->19         started        24 Software Check.exe 14 38 10->24         started        26 MagicDorks.exe 114 10->26         started        process6 dnsIp7 82 ip-api.com 208.95.112.1, 49755, 49767, 80 TUT-ASUS United States 19->82 58 C:\Users\user\AppData\...\Start Process.exe, PE32 19->58 dropped 102 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->102 28 Start Process.exe 4 19->28         started        32 schtasks.exe 1 19->32         started        34 powershell.exe 19->34         started        40 12 other processes 19->40 84 siyatermi.duckdns.org 24->84 86 api.ip.sb 24->86 104 Tries to harvest and steal browser information (history, passwords, etc) 24->104 106 Tries to steal Crypto Currency Wallets 24->106 36 conhost.exe 24->36         started        60 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 26->60 dropped 62 C:\Users\user\AppData\...\win32evtlog.pyd, PE32+ 26->62 dropped 64 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 26->64 dropped 66 29 other files (none is malicious) 26->66 dropped 38 conhost.exe 26->38         started        file8 signatures9 process10 dnsIp11 88 siyatermi.duckdns.org 18.193.6.177, 1518, 17044, 49768 AMAZON-02US United States 28->88 90 192.168.2.1 unknown unknown 28->90 92 ip-api.com 28->92 108 Protects its processes via BreakOnTermination flag 28->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->110 112 Installs a global keyboard hook 28->112 42 schtasks.exe 28->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 40->48         started        50 conhost.exe 40->50         started        52 conhost.exe 40->52         started        54 9 other processes 40->54 signatures12 process13 process14 56 conhost.exe 42->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169/
Threat name:
ByteCode-MSIL.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-06-18 12:05:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
1819
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=osxogdhb7uxdauyhxzm2u2yvxcrtqvfpgyjeevdye3z3o6tlwfuq._file
Verdict:
malicious
Similar samples:
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
RedLineStealer
2e1eda10e2bbd19418706a23888807e50c0407eb191cc26d541c85279193c3db
RedLineStealer
5e74c2b7ac2d1ad593abac2e47d690a083bf96f1566901e58a5f59d221bc9853
RedLineStealer
74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169
RedLineStealer
9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b
RedLineStealer
9e33fbfc975a81d62c7ec060a00a42fcdf5e84ba294be3f21d5307b79ddf9555
RedLineStealer
b46a76c6240983b927fa789dbfd5214bb513285da9205c52539736286346ddaf
RedLineStealer
b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
RedLineStealer
e83d13fcdc0f133482d558c8ce25b45a491ba3aff13849ce8169f05bb4972f0d
RedLineStealer
+ 330 additional samples on MalwareBazaar
Result
Malware family:
venomrat
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:redline family:venomrat botnet:awsr botnet:v/r/b discovery evasion infostealer pyinstaller rat rootkit spyware stealer suricata trojan
Link:
https://tria.ge/reports/220618-n8lb4agffp/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Quasar Payload
Quasar RAT
RedLine
RedLine Payload
VenomRAT
suricata: ET MALWARE Common RAT Connectivity Check Observed
Malware Config
C2 Extraction:
siyatermi.duckdns.org:17044
siyatermi.duckdns.org:1518
Unpacked files
SH256 hash:
bcac81c69094ea47c3a00cae028ac4c64dd6cbd4fe85e11363e3e35b48c04842
MD5 hash:
27c2436f6a1c111bef78597d37751138
SHA1 hash:
f1dabacffc82bbfc7d8db578f0a5653d7fe84bca
Link:
https://www.unpac.me/results/9177e2a9-801a-429f-8e0c-c9a70254163a/
SH256 hash:
74f157d228b19efbe878feb76a5be3caeb1cdd11c59ee3ec9622dbd994081310
MD5 hash:
025e2ffb735be017523af9c9a2fbbe87
SHA1 hash:
e5fa2a222098a73ac23644675947816ca14cb1aa
Link:
https://www.unpac.me/results/9177e2a9-801a-429f-8e0c-c9a70254163a/
SH256 hash:
1bb6f045a9218bacd2c0f35f2e9fb3f0a92f5bdd7efd207b070c47707a6ae82d
MD5 hash:
1634b36bb54a876f818712d1f105fe00
SHA1 hash:
deaa950169f13bd1f07103e5aff7932547962e04
Link:
https://www.unpac.me/results/9177e2a9-801a-429f-8e0c-c9a70254163a/
SH256 hash:
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
MD5 hash:
4d97786ab8047ad6c08532ed7a017573
SHA1 hash:
a64d07233d813f9a085722295dca62ca726e291a
Link:
https://www.unpac.me/results/9177e2a9-801a-429f-8e0c-c9a70254163a/
SH256 hash:
74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169
MD5 hash:
ae6fe2df78169ded8716bb674c717f63
SHA1 hash:
2766c35c6959da709609f64a3dc1a0154ec2ef5e
Link:
https://www.unpac.me/results/9177e2a9-801a-429f-8e0c-c9a70254163a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_mem
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments