MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3783ac39db69caabe6962ba2b23ab079443353db1cd7bd1d1d8e645cb8dded8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3783ac39db69caabe6962ba2b23ab079443353db1cd7bd1d1d8e645cb8dded8b
SHA3-384 hash: fc045cc833bb4d317fc12fd88d1b989d9b52753b1c1b58bb0fe7aee716d2eda21135c64b4cf9eea7b29f11964f01e7a6
SHA1 hash: da18eb243696e25f1c9cc428ae191565279e94eb
MD5 hash: 7eb826f65c44539fcef7b1a7c4eca715
humanhash: west-red-mountain-oscar
File name:7eb826f65c44539fcef7b1a7c4eca715.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:367'104 bytes
First seen:2021-01-05 07:28:24 UTC
Last seen:2021-01-05 10:06:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:Q3ms2XeUGRV+d5GNx/tar+zowcdH3rdNCYlFmbNGjfB17IXoC8E3RVyeZy0xbMff:/dpCToNERVyeBbhN
Threatray 214 similar samples on MalwareBazaar
TLSH 327437643CDB3E9ADB42A477CBB78B5A5F1FBD3B95D192CD0800324A08768687E53D24
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7eb826f65c44539fcef7b1a7c4eca715.exe
Verdict:
Malicious activity
Analysis date:
2021-01-05 07:32:42 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/54d04653-38e8-45db-b641-1bf40cc74600

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110508/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.23790.14700.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/573931
Signature
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Disable Task List ballon tips (likely to surpress security warnings)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336025 Sample: 1FXO8fI8R3.exe Startdate: 05/01/2021 Architecture: WINDOWS Score: 100 95 Multi AV Scanner detection for submitted file 2->95 97 Yara detected RedLine Stealer 2->97 99 Sigma detected: Dot net compiler compiles file from suspicious location 2->99 101 10 other signatures 2->101 10 1FXO8fI8R3.exe 15 11 2->10         started        process3 dnsIp4 83 checkip.dyndns.org 10->83 85 checkip.dyndns.com 216.146.43.70, 49717, 80 DYNDNSUS United States 10->85 67 C:\Users\user\AppData\...\ddvvqtrs.cmdline, UTF-8 10->67 dropped 69 C:\Users\user\AppData\...\1FXO8fI8R3.exe.log, ASCII 10->69 dropped 119 Injects a PE file into a foreign processes 10->119 15 1FXO8fI8R3.exe 3 13 10->15         started        20 csc.exe 3 10->20         started        file5 signatures6 process7 dnsIp8 87 9kx6.vrprashnen.ru 81.177.141.231, 443, 49724, 49725 RTCOMM-ASRU Russian Federation 15->87 89 nk.dubakui.ru 15->89 59 C:\Users\user\AppData\Local\1064648507.exe, PE32 15->59 dropped 91 Disable Task List ballon tips (likely to surpress security warnings) 15->91 93 Changes the view of files in windows explorer (hidden files and folders) 15->93 22 1064648507.exe 14 4 15->22         started        27 csc.exe 3 15->27         started        29 cmd.exe 1 15->29         started        61 C:\Users\user\AppData\Local\...\ddvvqtrs.dll, PE32 20->61 dropped 31 conhost.exe 20->31         started        33 cvtres.exe 1 20->33         started        file9 signatures10 process11 dnsIp12 79 192.168.2.1 unknown unknown 22->79 81 9kx6.vrprashnen.ru 22->81 63 C:\Users\user\AppData\Local\...\chrome.exe, PE32 22->63 dropped 107 Antivirus detection for dropped file 22->107 109 Multi AV Scanner detection for dropped file 22->109 111 Machine Learning detection for dropped file 22->111 113 Tries to harvest and steal browser information (history, passwords, etc) 22->113 35 chrome.exe 14 23 22->35         started        39 chrome.exe 22->39         started        65 C:\Users\user\AppData\Local\...\dln2obzl.dll, PE32 27->65 dropped 41 conhost.exe 27->41         started        43 cvtres.exe 1 27->43         started        45 taskkill.exe 1 29->45         started        47 conhost.exe 29->47         started        49 choice.exe 1 29->49         started        115 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->115 117 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->117 file13 signatures14 process15 dnsIp16 71 api.ip.sb 35->71 73 WHOIS.RIPE.NET 193.0.6.135, 43, 49734 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 35->73 75 3 other IPs or domains 35->75 103 Tries to harvest and steal browser information (history, passwords, etc) 35->103 51 cmd.exe 35->51         started        signatures17 process18 dnsIp19 77 127.0.0.1 unknown unknown 51->77 105 Uses ping.exe to sleep 51->105 55 conhost.exe 51->55         started        57 PING.EXE 51->57         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3783ac39db69caabe6962ba2b23ab079443353db1cd7bd1d1d8e645cb8dded8b/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-01-03 16:24:32 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09cb72a7bbb6ed837874193fcecdc231ed9d87752d1d1f668e7afcb2f10440de
RedLineStealer
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
RedLineStealer
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
RedLineStealer
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
RedLineStealer
56f814347c8ec650f905e26cb30343d437b587d8f663ac6bbf4ae4ca483898e1
RedLineStealer
7918e6ed1823254990f59d6015d43cae2f3cccad92e725aa9b2a0f294dc08b61
RedLineStealer
7d957b25b466f6b1eca625ad56a3472a83b2efc825a5d056a7d11b1b74f17fa3
RedLineStealer
aa10af5c6a92dc01b8ba38871c9a1b111cc36a6e0f6d1a039b5ba624bb700a36
RedLineStealer
d8ab8eb6d9e9fdb54f5d72254eafb2732342f8883ee96749bb8615ca196963bb
RedLineStealer
dbb953f1943fa6f07fcaad4f4469fc48a19dc1df34b2502ea8c7b789bedbfade
RedLineStealer
+ 204 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/210105-wav5vxhv4a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Unpacked files
SH256 hash:
3783ac39db69caabe6962ba2b23ab079443353db1cd7bd1d1d8e645cb8dded8b
MD5 hash:
7eb826f65c44539fcef7b1a7c4eca715
SHA1 hash:
da18eb243696e25f1c9cc428ae191565279e94eb
Link:
https://www.unpac.me/results/48569330-b5cf-4463-acb1-63fed1f3333c/
SH256 hash:
3439545cf84631d9a497de7fd03cee090335377647f4bc8d5e3d51d08ac9295a
MD5 hash:
39ca4019d6d47eab8d3d5ccb2d1d7463
SHA1 hash:
709769ebf1412aae6b69dd21b8fb89915519362a
Link:
https://www.unpac.me/results/48569330-b5cf-4463-acb1-63fed1f3333c/
SH256 hash:
816940ddd49259a96fae5adef46c6a23940494a1fe148e3405f271c831d760f5
MD5 hash:
2b0e5470ae26957ab6a2a5d7da61bca7
SHA1 hash:
b7ddec5b7f28a619672ee5b2a18b1cae48379fd8
Link:
https://www.unpac.me/results/48569330-b5cf-4463-acb1-63fed1f3333c/
SH256 hash:
1953523f52547526c4d059a33112655ffb6793ac094b90e0818f6d3ce575db81
MD5 hash:
2fb4be0866cea07cefe95cbae1b9a7f7
SHA1 hash:
e57470ac22b78a0eb245053832ea41fefff3b2f3
Link:
https://www.unpac.me/results/48569330-b5cf-4463-acb1-63fed1f3333c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3783ac39db69caabe6962ba2b23ab079443353db1cd7bd1d1d8e645cb8dded8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110508/

Comments