MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 349db9fa93689080286b16229b50ed0eef46e18f981b51b8cd0b828f81247328. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 349db9fa93689080286b16229b50ed0eef46e18f981b51b8cd0b828f81247328
SHA3-384 hash: 9ca3ccfcdf808bd971cc3dfc536afb4c1bc60237e24cea5cac4d7ea4727cf988a2b9ec1d0049f0e8c59738ff18037b87
SHA1 hash: 23092f5d76506b512bb7bf25d083f33b5f1ed33f
MD5 hash: 462302025737a327f6a74d690dac1337
humanhash: alabama-hotel-pasta-double
File name:ViBot.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:423'800 bytes
First seen:2023-09-26 15:08:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e6417806f636d3a26a1e8916d3e05d01 (22 x RedLineStealer, 4 x MysticStealer, 2 x Amadey)
ssdeep 6144:uOtc1vkeamA7uqck0h6OjAOV5cuHMBMhL8W3VP0PCD2PShjj5eFlmPInvsY1cvgr:uOS1ceamvBn2MiWFsdaY37
Threatray 934 similar samples on MalwareBazaar
TLSH T115945B18FCC289A5E415E13379608764FE3FF824261149EBD74C1BB946923C2993DBFA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter likeastar20
Tags:exe PWSX Redline RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
UA UA
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
ViBot.exe
Verdict:
Malicious activity
Analysis date:
2023-09-26 15:03:13 UTC
Tags:
redline stealer
Link:
https://app.any.run/tasks/92ec2a08-095e-44be-99b0-11ca3753ab8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451316/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.21523.9223.25710.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Forced shutdown of a system process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/6512f40f34be449f0119fce1/reports/43db765b-adfd-415f-9f62-453a2ad48ab6/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/349db9fa93689080286b16229b50ed0eef46e18f981b51b8cd0b828f81247328
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e4600e9-9858-47c3-82bb-ceeae01e61ae
Result
Threat name:
MicroClip, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314656
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected MicroClip
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314656 Sample: ViBot.exe Startdate: 26/09/2023 Architecture: WINDOWS Score: 100 103 Snort IDS alert for network traffic 2->103 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 14 other signatures 2->109 11 ViBot.exe 2->11         started        process3 signatures4 137 Contains functionality to inject code into remote processes 11->137 139 Writes to foreign memory regions 11->139 141 Allocates memory in foreign processes 11->141 143 Injects a PE file into a foreign processes 11->143 14 AppLaunch.exe 15 7 11->14         started        19 WerFault.exe 21 9 11->19         started        process5 dnsIp6 89 94.142.138.4, 49783, 80 IHOR-ASRU Russian Federation 14->89 91 api.ip.sb 14->91 93 217.196.96.84, 49787, 49797, 49798 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 14->93 83 C:\Users\user\AppData\Local\...\svchost.exe, MS-DOS 14->83 dropped 85 C:\Users\user\AppData\Local\...\conhost.exe, PE32 14->85 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->95 97 Found many strings related to Crypto-Wallets (likely being stolen) 14->97 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->99 101 3 other signatures 14->101 21 svchost.exe 4 14->21         started        25 conhost.exe 8 14->25         started        27 WerFault.exe 19->27         started        file7 signatures8 process9 file10 71 C:\ProgramData\Roaming\O.exe, MS-DOS 21->71 dropped 123 Antivirus detection for dropped file 21->123 125 Multi AV Scanner detection for dropped file 21->125 127 Detected unpacking (changes PE section rights) 21->127 131 4 other signatures 21->131 29 cmd.exe 1 21->29         started        73 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 25->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 25->75 dropped 129 Contains functionality to register a low level keyboard hook 25->129 32 cmd.exe 2 25->32         started        signatures11 process12 signatures13 145 Encrypted powershell cmdline option found 29->145 147 Uses schtasks.exe or at.exe to add and modify task schedules 29->147 34 O.exe 29->34         started        37 conhost.exe 29->37         started        39 timeout.exe 1 29->39         started        41 as5eyd6ryftug.exe 32->41         started        45 7z.exe 32->45         started        47 7z.exe 2 32->47         started        49 12 other processes 32->49 process14 dnsIp15 111 Antivirus detection for dropped file 34->111 113 Multi AV Scanner detection for dropped file 34->113 115 Detected unpacking (changes PE section rights) 34->115 119 5 other signatures 34->119 87 pastebin.com 172.67.34.170, 443, 49790 CLOUDFLARENETUS United States 41->87 77 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 41->77 dropped 79 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 41->79 dropped 117 Sample is not signed and drops a device driver 41->117 51 cmd.exe 41->51         started        54 cmd.exe 41->54         started        56 cmd.exe 41->56         started        81 C:\Users\user\AppData\...\as5eyd6ryftug.exe, PE32 45->81 dropped file16 signatures17 process18 signatures19 121 Encrypted powershell cmdline option found 51->121 58 powershell.exe 51->58         started        61 conhost.exe 51->61         started        63 conhost.exe 54->63         started        65 schtasks.exe 54->65         started        67 conhost.exe 56->67         started        69 schtasks.exe 56->69         started        process20 signatures21 133 Found many strings related to Crypto-Wallets (likely being stolen) 58->133 135 Potential dropper URLs found in powershell memory 58->135
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/349db9fa93689080286b16229b50ed0eef46e18f981b51b8cd0b828f81247328/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-26 15:09:05 UTC
File Type:
PE (Exe)
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gso3t6utnciiakdlcyrjwuhnb3xunymptanvdognbobi7ajeomua._file
Verdict:
malicious
Similar samples:
14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad
RedLineStealer
252055d82e07b21166bc7cd77e43635b582947c7bdc60646c5edc4766bcc7f4c
RedLineStealer
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
RedLineStealer
a3ecec0dc331e402e4c9ae68e1c5554b373e39298800e1a74da6a320aafa940e
RedLineStealer
a85b8341d1594f4ec7d0aaf1cb367c0fe92ecd1914666107d1ed720d2bb7a1a2
RedLineStealer
ea2ef9cccdc8edb4ab821991527ed4b4a7e047d752dd63f902598d03a486b85d
RedLineStealer
eef26490e77fe02338150f05b2134d053736d33b448d2e5309778921cd7cf610
RedLineStealer
f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a
RedLineStealer
+ 924 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@kulksiz infostealer spyware
Link:
https://tria.ge/reports/230926-sjfgrsae8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
94.142.138.4:80
Unpacked files
SH256 hash:
f5816cba1c1b40996a2d05622447e403b0cdd45e21e1588f226b3fb4cb507c56
MD5 hash:
7f3f4d47edabda9c73e8ba139eb67c84
SHA1 hash:
34f9365d7a526fee1a152796ad14a19ee8c1e33a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/943fb59c-32f6-4a80-83ed-93faf0bc11ed/
SH256 hash:
349db9fa93689080286b16229b50ed0eef46e18f981b51b8cd0b828f81247328
MD5 hash:
462302025737a327f6a74d690dac1337
SHA1 hash:
23092f5d76506b512bb7bf25d083f33b5f1ed33f
Link:
https://www.unpac.me/results/943fb59c-32f6-4a80-83ed-93faf0bc11ed/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/349db9fa9368/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/349db9fa93689080286b16229b50ed0eef46e18f981b51b8cd0b828f81247328

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/451316/

Comments