MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a8a46f956c60aaa2577ba3622a891c5865cdf08414454cfda0f3476d3d16155. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a8a46f956c60aaa2577ba3622a891c5865cdf08414454cfda0f3476d3d16155
SHA3-384 hash: 1fcb16c8262054b8f13d67e3b343be1644e2cb1eab771bd1918235defb32d0c1b4f33d4b0bae7b2b6bd05f6f88be78a1
SHA1 hash: aee0f86860f4443fd0e7f60832f32c4863a1dace
MD5 hash: dcf0e06cb6245eb1713bafae29e2132f
humanhash: enemy-ack-moon-october
File name:dcf0e06cb6245eb1713bafae29e2132f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:97'792 bytes
First seen:2021-09-07 10:04:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 768:CW1YMuivEOKevgqFskoWgRsmisJtCtkAwC:CW1YAcOK8v/FsYwC
Threatray 97 similar samples on MalwareBazaar
TLSH T14BA33430FD074C26EF8F387DEC8F92DB099D59812A2AEA461564295D163CDB3C1DBE12
dhash icon cc968c8c556969e8 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dcf0e06cb6245eb1713bafae29e2132f.exe
Verdict:
Malicious activity
Analysis date:
2021-09-07 10:06:25 UTC
Tags:
stealer evasion trojan rat redline
Link:
https://app.any.run/tasks/41f51db9-a832-4ed0-b310-98a3bcebe9f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185986/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Creating a window
Searching for analyzing tools
Searching for the window
Connection attempt
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/330d31a3-f37b-4e00-b727-a09f855c569d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846492
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478919 Sample: 9c2NwBeaMN.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 53 get-europe-group.bar 104.21.34.192 CLOUDFLARENETUS United States 2->53 77 Antivirus detection for URL or domain 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 8 other signatures 2->83 8 9c2NwBeaMN.exe 15 9 2->8         started        13 WinHoster.exe 2 2->13         started        15 WinHoster.exe 2->15         started        signatures3 process4 dnsIp5 55 iplogger.org 88.99.66.31 HETZNER-ASDE Germany 8->55 57 remotenetwork.xyz 104.21.44.56, 443, 49706 CLOUDFLARENETUS United States 8->57 59 gavenetwork.bar 8->59 33 C:\Users\user\AppData\Roaming\8213815.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Roaming\7794478.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Roaming\7048646.exe, PE32 8->37 dropped 39 3 other malicious files 8->39 dropped 85 Detected unpacking (changes PE section rights) 8->85 87 May check the online IP address of the machine 8->87 89 Performs DNS queries to domains with low reputation 8->89 17 7048646.exe 8->17         started        21 4375128.exe 3 8->21         started        23 7794478.exe 14 22 8->23         started        25 8213815.exe 1 4 8->25         started        file6 signatures7 process8 dnsIp9 43 95.181.157.102 MSKHOSTRU Russian Federation 17->43 45 api.ip.sb 17->45 61 Multi AV Scanner detection for dropped file 17->61 63 Detected unpacking (changes PE section rights) 17->63 65 Query firmware table information (likely to detect VMs) 17->65 75 3 other signatures 17->75 47 185.177.125.94 WORLDSTREAMNL Netherlands 21->47 67 Hides threads from debuggers 21->67 69 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->69 28 conhost.exe 21->28         started        49 mremote-support.xyz 23->49 71 Performs DNS queries to domains with low reputation 23->71 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 51 192.168.2.1 unknown unknown 25->51 41 C:\Users\user\AppData\...\WinHoster.exe, PE32 25->41 dropped 30 WinHoster.exe 2 25->30         started        file10 signatures11 process12 signatures13 91 Multi AV Scanner detection for dropped file 30->91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a8a46f956c60aaa2577ba3622a891c5865cdf08414454cfda0f3476d3d16155/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 07:40:10 UTC
AV detection:
15 of 43 (34.88%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkfen6kwyyfkujlxxi3cfkerywdfzxyiifcfjt62b42hnu6rmfkq._file
Verdict:
malicious
Similar samples:
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
RedLineStealer
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
RedLineStealer
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
RedLineStealer
8aa0059a4ae43e6dde91f3ffc8f0d14792a2c98bbee36ce77b0bb4befd8a48dd
RedLineStealer
9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467
RedLineStealer
a5ae0f12308cd01e02c8c75137818f8945f4fba0785f5558c75bff2f20fb7957
RedLineStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RedLineStealer
c34f4d1ea21e7248fc8ba8679713d87d35d5f02ab8fc0cf14bed0f1e7eb87492
RedLineStealer
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
RedLineStealer
da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795
RedLineStealer
+ 87 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210907-l4hpasffal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
3a8a46f956c60aaa2577ba3622a891c5865cdf08414454cfda0f3476d3d16155
MD5 hash:
dcf0e06cb6245eb1713bafae29e2132f
SHA1 hash:
aee0f86860f4443fd0e7f60832f32c4863a1dace
Link:
https://www.unpac.me/results/b5afa647-d371-4220-9a6d-437fba64d075/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/3a8a46f956c60aaa2577ba3622a891c5865cdf08414454cfda0f3476d3d16155

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3a8a46f956c60aaa2577ba3622a891c5865cdf08414454cfda0f3476d3d16155

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/185986/
  
URLhaus
https://urlhaus.abuse.ch/url/1549205/
  
Delivery method
Distributed via web download

Comments