MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
SHA3-384 hash: aee3e32c0011d4e2523ebcae64d141c29561b1a17ed4afff999a9d20678a4006586f001fd86732e31fe7c5174c026036
SHA1 hash: 5aad801f2b6a58f125f95464c06c3671047388e8
MD5 hash: 3aeabf97fc5c13d409ce2992820838fd
humanhash: diet-don-louisiana-four
File name:55282E8B63997F62AF3DD4B9D40CACB30A72D8DB1597D3F53057839CF7335750.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:382'976 bytes
First seen:2024-07-24 14:28:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e22fde80595c4bea0880fd6845018d6a (7 x RedLineStealer, 6 x Loki, 6 x Worm.Ramnit)
ssdeep 6144:/gQ7GmYm49gWTlqFbcohS44It0RyC1T+0nZMRBCmA3UlR7Omgc39b2RRoO:/DGmYm49giC9JFF0ZMT/f7tb
TLSH T1D184CF10BB90D035E1B712F88C7A93A8753E7EA19B25A1CF62D416EE56357E4EC3130B
TrID 29.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
21.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.7% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon ccdc9cecaa9ecccc (1 x N-W0rm, 1 x RedLineStealer)
Reporter Anonymous
Tags:exe RedLineStealer


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Dropper.Generickdz-9939781-0
Create hunting rule

Win.Trojan.Generickdz-9950759-0
Create hunting rule

Win.Trojan.Generickdz-9951389-0
Create hunting rule

Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a10fb3ae21d7902eaf9a93
Tags:
Execution Generic Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Modifying an executable file
Query of malicious DNS domain
Connection attempt to an infection source
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a10fb59149fd55f98fe88e/reports/923b6628-7cdd-4c20-ae74-feb66fd17a71/overview
Verdict:
Malicious
Labled as:
Wapomi.BA virus
Link:
https://www.hybrid-analysis.com/sample/343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b372f2e-033f-4e4c-a8c4-0833533c28d2
Result
Threat name:
Bdaejec, RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480246
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 14:29:06 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gq6wiiaysxddk56ndfkc34sgljjxq3dyyqfn6uz7dnep6la63yzq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:50n aspackv2 discovery infostealer
Link:
https://tria.ge/reports/240724-rtkc2ateqa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.123:34450
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/59cd015b-d6bf-43ed-932e-0db9fe990b2c
Unpacked files
SH256 hash:
2767de6964de10e75abc9d3d0cabe6b8d388a3b7af8a145f1a4ec88d10339510
MD5 hash:
4ed460470422fe23a6d880ed25b83209
SHA1 hash:
f42368aa1e6caf6c391bb971bc60750aefcfe721
Detections:
MALWARE_Win_MetaStealer
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/66b03b54-f0a7-430e-bd1d-9b2a225dd828/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
e91235274497606449cd88b55806818968beb74b2b07c6d2f1bde7aa63d1273a
MD5 hash:
a579937aa5afe3fa3358c95bdbb00300
SHA1 hash:
6638780c6885831197a3cd7d129ef457524d4b57
Detections:
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/66b03b54-f0a7-430e-bd1d-9b2a225dd828/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
8649f7e4e216932a183e51fc921ed31f9d158ae4274f290e36f4fdf62eaa9d8c
MD5 hash:
c875d51539971dd9b84990610b131906
SHA1 hash:
24c526387e9123a399d41e9b6f1a56c9429b5226
Detections:
MAL_Malware_Imphash_Mar23_1
Create hunting rule
Link:
https://www.unpac.me/results/66b03b54-f0a7-430e-bd1d-9b2a225dd828/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
022d2687d686ba463d539687ef271b72c14b40f21cccecaae67c20cce3ace494
MD5 hash:
67aa6fa37fd16da9a9d6a33034901513
SHA1 hash:
d15c8e356aa9da66ccb14d42672e5c10c28a066f
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/66b03b54-f0a7-430e-bd1d-9b2a225dd828/
SH256 hash:
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
MD5 hash:
3aeabf97fc5c13d409ce2992820838fd
SHA1 hash:
5aad801f2b6a58f125f95464c06c3671047388e8
Link:
https://www.unpac.me/results/66b03b54-f0a7-430e-bd1d-9b2a225dd828/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::FlushConsoleInputBuffer
KERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileWithProgressW
KERNEL32.dll::MoveFileA

Comments