MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b3af3c0c0ccff93c1f62d0e00a25e76b856392c604e209f93e987a7a913a727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b3af3c0c0ccff93c1f62d0e00a25e76b856392c604e209f93e987a7a913a727
SHA3-384 hash: cc2b73e00a32b4556ba02d0f82e0e074d2259abf9a706274e5d5ca9a5d1516b4aaa9f688421ad9e63f4cba6a1a760ed9
SHA1 hash: a0570a216c8503c416de8fdadf69aa8c8e20a447
MD5 hash: 994b0bab7ff8444a2af843037db8ddb5
humanhash: gee-north-jig-hydrogen
File name:994B0BAB7FF8444A2AF843037DB8DDB5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'472'894 bytes
First seen:2021-08-20 01:56:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xsCvLUBsgVWV1isl2OuKtda5UimgQb8Q6uNQYZO:xxLUCgVU1io29KIUimb8Ru6t
Threatray 383 similar samples on MalwareBazaar
TLSH T10A263342B2D780FAE9975136EB685B3622B9C2A419B840D37340DF2CAF344F2D73566D
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.38.55.35:16777

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.38.55.35:16777 https://threatfox.abuse.ch/ioc/192383/

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180824/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a file
Creating a process with a hidden window
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Deleting a recently created file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db749de4-427f-45c4-ab8c-aebd44822148
Result
Threat name:
Cookie Stealer Cryptbot Glupteba Metaspl
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836158
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected Cryptbot
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468585 Sample: MFi04pjEW7.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 111 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->111 113 iplogger.org 88.99.66.31, 443, 49696, 49697 HETZNER-ASDE Germany 2->113 115 3 other IPs or domains 2->115 175 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->175 177 Antivirus detection for URL or domain 2->177 179 Antivirus detection for dropped file 2->179 181 20 other signatures 2->181 12 MFi04pjEW7.exe 18 2->12         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 97 C:\Users\user\AppData\...\setup_install.exe, PE32 12->97 dropped 99 C:\Users\user\AppData\Local\...\libcurl.dll, PE32 12->99 dropped 101 C:\Users\user\...\Mon16f128cd8075e.exe, PE32 12->101 dropped 103 13 other files (9 malicious) 12->103 dropped 17 setup_install.exe 1 12->17         started        21 rundll32.exe 15->21         started        process6 dnsIp7 107 127.0.0.1 unknown unknown 17->107 109 watira.xyz 17->109 161 Performs DNS queries to domains with low reputation 17->161 163 Adds a directory exclusion to Windows Defender 17->163 23 cmd.exe 1 17->23         started        25 cmd.exe 17->25         started        27 cmd.exe 17->27         started        29 8 other processes 17->29 165 Writes to foreign memory regions 21->165 167 Allocates memory in foreign processes 21->167 169 Creates a thread in another existing process (thread injection) 21->169 signatures8 process9 signatures10 32 Mon168eacf5abe6.exe 23->32         started        35 Mon16f128cd8075e.exe 25->35         started        37 Mon165996b67ab8c.exe 27->37         started        183 Submitted sample is a known malware sample 29->183 185 Obfuscated command line found 29->185 187 Uses ping.exe to sleep 29->187 189 2 other signatures 29->189 40 Mon1663a63d10ba4bf8.exe 29->40         started        43 Mon162a49cb298e25a7e.exe 1 14 29->43         started        45 Mon16299b35036.exe 2 29->45         started        47 4 other processes 29->47 process11 dnsIp12 141 Multi AV Scanner detection for dropped file 32->141 143 Machine Learning detection for dropped file 32->143 145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->145 159 3 other signatures 32->159 49 explorer.exe 32->49 injected 51 cmd.exe 35->51         started        53 dllhost.exe 35->53         started        81 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 37->81 dropped 83 C:\Users\user\AppData\Local\...\BearVpn 3.exe, PE32 37->83 dropped 85 C:\...\dcc7975c8a99514da06323f0994cd79b.exe, PE32 37->85 dropped 55 dcc7975c8a99514da06323f0994cd79b.exe 37->55         started        59 Chrome 5.exe 37->59         started        133 2 other IPs or domains 40->133 147 Detected unpacking (changes PE section rights) 40->147 149 May check the online IP address of the machine 40->149 151 Performs DNS queries to domains with low reputation 40->151 125 ip-api.com 208.95.112.1, 49687, 80 TUT-ASUS United States 43->125 127 staticimg.youtuuee.com 45.136.151.102, 49689, 49690, 49691 ENZUINC-US Latvia 43->127 135 2 other IPs or domains 43->135 87 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 43->87 dropped 89 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 43->89 dropped 153 Contains functionality to steal Chrome passwords or cookies 43->153 155 Drops PE files to the startup folder 43->155 157 Creates processes via WMI 45->157 61 Talune.exe.com 45->61         started        64 Mon16299b35036.exe 45->64         started        129 37.0.10.185 WKD-ASIE Netherlands 47->129 131 37.0.11.8 WKD-ASIE Netherlands 47->131 137 5 other IPs or domains 47->137 file13 signatures14 process15 dnsIp16 66 cmd.exe 51->66         started        69 conhost.exe 51->69         started        117 qwertys.info 104.21.20.198, 443, 49692 CLOUDFLARENETUS United States 55->117 119 testmeinfo.info 104.21.38.197, 443, 49694 CLOUDFLARENETUS United States 55->119 91 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 55->91 dropped 93 C:\Users\user\AppData\...\services64.exe, PE32+ 59->93 dropped 121 DrbPbUkqxjgjxlbJzPNI.DrbPbUkqxjgjxlbJzPNI 61->121 191 Tries to harvest and steal browser information (history, passwords, etc) 61->191 123 live.goatgame.live 104.21.70.98, 443, 49688 CLOUDFLARENETUS United States 64->123 95 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 64->95 dropped 71 conhost.exe 64->71         started        file17 signatures18 process19 signatures20 171 Obfuscated command line found 66->171 173 Uses ping.exe to sleep 66->173 73 PING.EXE 66->73         started        76 findstr.exe 66->76         started        79 Talune.exe.com 66->79         started        process21 dnsIp22 139 192.168.2.3, 443, 49199, 49677 unknown unknown 73->139 105 C:\Users\user\AppData\...\Talune.exe.com, Targa 76->105 dropped file23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b3af3c0c0ccff93c1f62d0e00a25e76b856392c604e209f93e987a7a913a727/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 05:22:11 UTC
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hm5phqgazt7zhqpwfuhabis6o24fmojmmbhcbh4t5gd2pkitu4tq._file
Verdict:
malicious
Similar samples:
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
RedLineStealer
283473a88217ba51d59c416ec4df9a019df2954d592dafbd60ac9b6df58abd96
RedLineStealer
5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
RedLineStealer
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
RedLineStealer
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
RedLineStealer
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
RedLineStealer
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
RedLineStealer
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
RedLineStealer
+ 373 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:vidar family:xmrig botnet:706 botnet:pab3 aspackv2 backdoor bootkit dropper infostealer loader miner persistence stealer trojan
Link:
https://tria.ge/reports/210820-aygrtb9ejs/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
xmrig
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.15:61506
Unpacked files
SH256 hash:
11056c89b02dffdd9f97e429fbd1262d329016d117079abbbd50451bb3486ac2
MD5 hash:
ab636769db5d8c33fb964876115e3e1c
SHA1 hash:
00f0f9de24c0429f43ec1ab3e8fdbfac5854b23a
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
3ac82c275c09d21438858d48eea37fe653d188a4ec4a783fad1ed022405f941b
MD5 hash:
99ce1ecb2cc198a8984618f53b786c00
SHA1 hash:
ce0cc43ea97bdaf7f6813047d6c2606e5d3f38de
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
d96d3c9b680ef2bd774d627b59f18c8b161e67dd8ae752c2d5a8abb22730ce99
MD5 hash:
8c4d8f10f3c4715a91953efa8b12e38c
SHA1 hash:
973109999c7f771f69af1d422dc0318e5c516188
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
8ca29bbbef3607841c4d6e490fcada15442c48a46c9fe304a217906eeb8ec2b7
MD5 hash:
cab3674a3b78eb028ed2a3fb971d9c43
SHA1 hash:
60536362e1fa52dbeaf1bcb634939dc17792f481
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
c1cf4a5d3b36b4b5edffd13e15e9563b46b5e003cc35c01641663b074a620a49
MD5 hash:
26f68b2729ae13012516cda8455fc56b
SHA1 hash:
5f485681f2c36c80eb5347e122896675eaa28022
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
798b08b53f7a589e8a24d23be077d7d0fe3071079fdd009200f6942ce514d576
MD5 hash:
4bc2a92e10023ac361957715d7ea6229
SHA1 hash:
4b0e1b0640c0e744556deadfccf28a7c44944ed9
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
130666c8da4674f6969b876fff7d9bb86104d05fd696ca4738ec03e57453a438
MD5 hash:
e8f0027f3c5b707300dc0e4f6947b061
SHA1 hash:
4091672c0a2f5c0daa9da69afda904778f15afba
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
053a8540355537a330faa188a8d44207dcee9d01ab1b3b817d35ddd9a625cd55
MD5 hash:
9b665febebf2861b9cd2a87071d8c709
SHA1 hash:
3d4a21b039153a22a07c34fdf21fef22051a08e1
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
bdd9feb13e30b7bd628e49bf45b199daadb1470a1149cced8a3a5edfe3ea2f8b
MD5 hash:
63428bee7c7cd6f5c65185182ed2ecdc
SHA1 hash:
7e58a21630d3729580cee771d1f5d9f553b85b42
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
3fe8435031449961636b771b79636652275768f9932b097a3f00ff3f18ea28d0
MD5 hash:
18189804f98b5b7b94be0f10aff487c3
SHA1 hash:
cb20b66c1e794aefa1e0ec2cdc79d135f4066da9
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
9e22e7f85ff0387dd81a9ea07849d8db62dbcbd0c0993690440f9d5c0237a998
MD5 hash:
a696d34caaf1ebe09bba90bfb31ab315
SHA1 hash:
5fec32b33a438c10609fe2d5d333083e84633edc
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
SH256 hash:
3b3af3c0c0ccff93c1f62d0e00a25e76b856392c604e209f93e987a7a913a727
MD5 hash:
994b0bab7ff8444a2af843037db8ddb5
SHA1 hash:
a0570a216c8503c416de8fdadf69aa8c8e20a447
Link:
https://www.unpac.me/results/0b37aadd-3965-4a58-9247-1a5d6c9e6e8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b3af3c0c0ccff93c1f62d0e00a25e76b856392c604e209f93e987a7a913a727

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180824/

Comments