MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4
SHA3-384 hash: fa4a12528c5f2810d610065c663c3c7cceb50983471a49efe30a51c482a2612910ba5d85656d98beccc139300b2ab8f4
SHA1 hash: 20698810e2b0c3a42535d7ae30e59b5b27db53a2
MD5 hash: 2e0d6bdfba3cb9bb742f4b939cb25313
humanhash: utah-venus-louisiana-potato
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'706'128 bytes
First seen:2023-02-09 21:09:30 UTC
Last seen:2023-02-10 08:29:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 935778709500381f823bab6e7acae23f (2 x AgentTesla, 1 x RedLineStealer)
ssdeep 24576:F/1f4xC/km03getEAy41Q/LkobRN8c/NXYYARkCdvJNBRvT3SW9z55xqq2AoI:F8m03geBobRrRYt3vTF52Ao
TLSH T1B885B0007712F318EA5BA03FDD99A34F5AE61F44053CF1C562E4FC54BCA99BA7AA0352
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8d963b59713b874e (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:www.flex.com
Issuer:Sectigo RSA Organization Validation Secure Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-28T00:00:00Z
Valid to:2023-12-28T23:59:59Z
Serial number: 059020b5e96269dfb89537306a6a73fe
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 66771e8fda0985cfd460eddf15a5ac88902cd8995285aa75cd25bb7b0141eb2e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc10773776_659199295?hash=WHQ391eTu4lk6umX1LAWypuFEiisAsiRYzVoDM4QW2s&dl=GEYDONZTG43TM:1675976527:wLi0KlVcZ2Oepz4GvrpGgmfLoO9UGfXnkb8rOOBABYo&api=1&no_preview=1#hH1

Intelligence

File Origin
# of uploads :
256
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-09 21:02:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/43c06c1e-41c3-49bc-a286-8bd4c487b5e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/363021/
Detection(s):
SecuriteInfo.com.Variant.Barys.325712.19339.4614.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/67340/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63e5612efc49e4bf1c31bce7/reports/197f9281-65b3-4d23-b53e-fad9c9f88b8e/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/047e3ee1-591f-4902-9548-ba2eeb080f07
Result
Threat name:
RHADAMANTHYS, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1170520
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates an undocumented autostart registry key
Detected Stratum mining protocol
Early bird code injection technique detected
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 803309 Sample: file.exe Startdate: 09/02/2023 Architecture: WINDOWS Score: 100 109 hcxveddxdsxi3oahts5lhmeftnckaax2.xewokfvqghuzugbzpt8xaru 2->109 111 transfer.sh 2->111 113 4 other IPs or domains 2->113 123 Snort IDS alert for network traffic 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Yara detected RHADAMANTHYS Stealer 2->127 129 12 other signatures 2->129 12 Dafay lowerij basogim ceta hicoxe kaw negepe.exe 8 2->12         started        16 file.exe 10 2->16         started        18 svchost.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 99 C:\Users\user\AppData\Local\...\6693093.dll, PE32 12->99 dropped 189 Writes to foreign memory regions 12->189 191 Allocates memory in foreign processes 12->191 193 Injects a PE file into a foreign processes 12->193 22 fontview.exe 12->22         started        25 ngentask.exe 4 12->25         started        39 2 other processes 12->39 101 Dafay lowerij baso...coxe kaw negepe.exe, PE32 16->101 dropped 103 Dafay lowerij baso...exe:Zone.Identifier, ASCII 16->103 dropped 195 Self deletion via cmd or bat file 16->195 197 Uses schtasks.exe or at.exe to add and modify task schedules 16->197 28 Dafay lowerij basogim ceta hicoxe kaw negepe.exe 9 16->28         started        31 cmd.exe 1 16->31         started        33 schtasks.exe 1 16->33         started        35 WerFault.exe 18->35         started        37 WerFault.exe 18->37         started        41 2 other processes 18->41 signatures6 process7 dnsIp8 149 Query firmware table information (likely to detect VMs) 22->149 151 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 22->151 153 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->153 169 4 other signatures 22->169 43 dllhost.exe 22->43         started        119 147.135.165.21, 36456, 49843, 49844 OVHFR France 25->119 155 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->155 157 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->157 159 Tries to steal Crypto Currency Wallets 25->159 105 C:\Users\user\AppData\Local\...\6694781.dll, PE32 28->105 dropped 161 Writes to foreign memory regions 28->161 163 Allocates memory in foreign processes 28->163 165 Injects a PE file into a foreign processes 28->165 46 ngentask.exe 2 28->46         started        48 fontview.exe 28->48         started        50 WerFault.exe 28->50         started        52 WerFault.exe 28->52         started        167 Uses ping.exe to check the status of other devices and networks 31->167 54 PING.EXE 1 31->54         started        57 conhost.exe 31->57         started        59 chcp.com 1 31->59         started        61 conhost.exe 33->61         started        file9 signatures10 process11 dnsIp12 179 Early bird code injection technique detected 43->179 181 Tries to harvest and steal browser information (history, passwords, etc) 43->181 183 Maps a DLL or memory area into another process 43->183 185 Queues an APC in another process (thread injection) 43->185 63 dllhost.exe 43->63         started        187 Tries to steal Crypto Currency Wallets 46->187 117 127.0.0.1 unknown unknown 54->117 signatures13 process14 dnsIp15 121 transfer.sh 144.76.136.153, 443, 49853, 49857 HETZNER-ASDE Germany 63->121 91 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 63->91 dropped 93 C:\Users\user\AppData\Local\Temp\Data.exe, PE32+ 63->93 dropped 67 Data.exe 63->67         started        71 Library.exe 63->71         started        file16 process17 file18 95 C:\Users\user\AppData\...\UpdateSVC.exe, PE32+ 67->95 dropped 131 Antivirus detection for dropped file 67->131 133 Creates an undocumented autostart registry key 67->133 135 Hijacks the control flow in another process 67->135 143 3 other signatures 67->143 73 InstallUtil.exe 67->73         started        76 powershell.exe 67->76         started        97 C:\Users\user\AppData\Roaming\...\WShell.exe, PE32+ 71->97 dropped 137 Machine Learning detection for dropped file 71->137 139 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 71->139 141 Encrypted powershell cmdline option found 71->141 78 powershell.exe 71->78         started        80 MSBuild.exe 71->80         started        signatures19 process20 dnsIp21 171 Protects its processes via BreakOnTermination flag 73->171 173 Writes to foreign memory regions 73->173 175 Allocates memory in foreign processes 73->175 177 2 other signatures 73->177 83 SMSvcHost.exe 73->83         started        87 conhost.exe 76->87         started        89 conhost.exe 78->89         started        107 45.159.189.105, 49862, 80 HOSTING-SOLUTIONSUS Netherlands 80->107 signatures22 process23 dnsIp24 115 141.94.96.195, 49863, 8080 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 83->115 145 Query firmware table information (likely to detect VMs) 83->145 signatures25 147 Detected Stratum mining protocol 115->147
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-09 21:10:11 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hikw2erd2jbavsw2y3rlr2psprdsiuk3jp2fn7juwswtv7zwvdca._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230209-zz1k7sdf59/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
4a6e63ab766ad4a384e232fa0c2cbf56529e89cd379beaf0ff641538b76bdab0
MD5 hash:
30a7530382031f6a1d4ad848b841446d
SHA1 hash:
e32050565ca3f8e56d349d89cc2aa4208002b4b3
Link:
https://www.unpac.me/results/8118243f-9c4e-4ba5-9cf5-edf49f1101b1/
SH256 hash:
3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4
MD5 hash:
2e0d6bdfba3cb9bb742f4b939cb25313
SHA1 hash:
20698810e2b0c3a42535d7ae30e59b5b27db53a2
Link:
https://www.unpac.me/results/8118243f-9c4e-4ba5-9cf5-edf49f1101b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/363021/

Comments