MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3656fa0043bed282d6292af09ebea7233bc01496cf69728a816a9a233f76a766. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3656fa0043bed282d6292af09ebea7233bc01496cf69728a816a9a233f76a766
SHA3-384 hash: 11329c55185a21dc2ed22f0eca2a577b057f686a7dbffd077dc7b970d6b8da338dbc51ec84262cc4b7f3691fa4a5e31e
SHA1 hash: 65d45f11053d122ae4167799e8e9d1efbc5d926d
MD5 hash: 23769393e13038a2f3d17e8ed876385d
humanhash: earth-maine-coffee-ten
File name:23769393e13038a2f3d17e8ed876385d
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'021'320 bytes
First seen:2021-12-07 19:53:25 UTC
Last seen:2021-12-07 21:44:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:yLjmG6dKu+hwGNrY43BFDNcZXZrYS/EgIqGNFEztVcsz/MGgeNbwAoTv1:g9NrY4xFDNrT7qyot64/pHNGb1
Threatray 364 similar samples on MalwareBazaar
TLSH T11825EE4FEDC78655EBCA077945F3B7008B7754D90F2B4BCA9308A6E06BCC1603BA8956
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
23769393e13038a2f3d17e8ed876385d
Verdict:
Malicious activity
Analysis date:
2021-12-07 19:58:50 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c1f7886a-b907-4d9c-9fe5-2ccd4dfc6f6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/212263/
Detection(s):
SecuriteInfo.com.Variant.Bulz.907594.12904.24096.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/61afbbe0fa72c81b5b107a76/reports/89fbd7b9-208b-493e-beda-6783f956379a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/176025a9-a027-4771-b1b0-270e9b69f5bf
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/903410
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Drops PE files with benign system names
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 535888 Sample: rI9UjTP1JB Startdate: 07/12/2021 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 5 other signatures 2->80 10 rI9UjTP1JB.exe 3 2->10         started        14 svchost.exe 9 1 2->14         started        17 svchost.exe 1 2->17         started        19 3 other processes 2->19 process3 dnsIp4 60 C:\Users\user\AppData\...\rI9UjTP1JB.exe.log, ASCII 10->60 dropped 106 Writes to foreign memory regions 10->106 108 Injects a PE file into a foreign processes 10->108 21 RegAsm.exe 15 8 10->21         started        70 127.0.0.1 unknown unknown 14->70 72 192.168.2.1 unknown unknown 17->72 file5 signatures6 process7 dnsIp8 66 95.143.178.132, 21588, 49757 RHTEC-ASrh-tecIPBackboneDE Russian Federation 21->66 68 bitbucket.org 104.192.141.1, 443, 49770, 49771 AMAZON-02US United States 21->68 56 C:\Users\user\AppData\Local\Temp\resetc.exe, PE32+ 21->56 dropped 58 C:\Users\user\AppData\Local\...\hfhu6hrdf.exe, PE32+ 21->58 dropped 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->90 92 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->92 94 Tries to harvest and steal browser information (history, passwords, etc) 21->94 96 Tries to steal Crypto Currency Wallets 21->96 26 hfhu6hrdf.exe 4 21->26         started        30 resetc.exe 7 21->30         started        file9 signatures10 process11 file12 62 C:\Users\user\AppData\...\services.exe, PE32+ 26->62 dropped 110 Machine Learning detection for dropped file 26->110 112 Drops PE files with benign system names 26->112 32 cmd.exe 1 26->32         started        34 cmd.exe 1 26->34         started        64 C:\Users\user\AppData\...\sihost64.exe, PE32+ 30->64 dropped 114 Multi AV Scanner detection for dropped file 30->114 37 sihost64.exe 30->37         started        39 cmd.exe 1 30->39         started        signatures13 process14 signatures15 41 services.exe 2 32->41         started        44 conhost.exe 32->44         started        82 Uses schtasks.exe or at.exe to add and modify task schedules 34->82 46 conhost.exe 34->46         started        48 schtasks.exe 1 34->48         started        84 Antivirus detection for dropped file 37->84 86 Multi AV Scanner detection for dropped file 37->86 88 Machine Learning detection for dropped file 37->88 50 conhost.exe 39->50         started        52 schtasks.exe 39->52         started        process16 signatures17 98 Machine Learning detection for dropped file 41->98 100 Injects code into the Windows Explorer (explorer.exe) 41->100 102 Writes to foreign memory regions 41->102 104 2 other signatures 41->104 54 explorer.exe 41->54         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3656fa0043bed282d6292af09ebea7233bc01496cf69728a816a9a233f76a766/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-07 12:51:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzlpuacdx3jifvrjflyj5pvhem54afewz5uxfcubnkncgp3wu5ta._file
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
RedLineStealer
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
RedLineStealer
4a2c3f7e489652350d3fd9df4259c52e2a9be9eb507d011779079d1e57e0301d
RedLineStealer
51ad6f28307707e2443713e2506ecb87ab29b5aa363912af90c9eeae0485709a
RedLineStealer
65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f
RedLineStealer
66d2fe8e0af50d2d155608a4dfba701aa321fa7b83d5858a91f95f9bbc96f1d1
RedLineStealer
833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2
RedLineStealer
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
RedLineStealer
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
RedLineStealer
f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb
RedLineStealer
+ 354 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@lilkrystajl botnet:cheat discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211207-ymjlgscfdn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.143.178.132:21588
185.112.83.21:21142
Unpacked files
SH256 hash:
66d5ff14fddd091e7bbfad5c61b6acd3d6a736a67419aa087a93941f5e603e44
MD5 hash:
43138b15f0007db9f247824b2fb7539d
SHA1 hash:
c5a75a34335ce8bd63ab68b78e210b52f6356b06
Link:
https://www.unpac.me/results/3d5b9f91-2c39-4936-abf9-bf69782fa387/
SH256 hash:
3656fa0043bed282d6292af09ebea7233bc01496cf69728a816a9a233f76a766
MD5 hash:
23769393e13038a2f3d17e8ed876385d
SHA1 hash:
65d45f11053d122ae4167799e8e9d1efbc5d926d
Link:
https://www.unpac.me/results/3d5b9f91-2c39-4936-abf9-bf69782fa387/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3656fa0043be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3656fa0043bed282d6292af09ebea7233bc01496cf69728a816a9a233f76a766

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3656fa0043bed282d6292af09ebea7233bc01496cf69728a816a9a233f76a766

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1863947/
Cape
Cape
https://www.capesandbox.com/analysis/212263/

Comments


Avatar
zbet commented on 2021-12-07 19:53:28 UTC

url : hxxp://file-coin-data-5.com/files/5782_1638875320_4520.exe