MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba
SHA3-384 hash:	b97c992ed366222cdb9a6574c2f9d5c109b88d0d46785137450cf136414cb7cfb27e989760741880a034886e4d1d86dd
SHA1 hash:	b5937933f35fe44805887dcee9488b60f0ef8493
MD5 hash:	26f3ab3022c32610a89a7299d0074351
humanhash:	twelve-ohio-mexico-mobile
File name:	26f3ab3022c32610a89a7299d0074351.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'736'960 bytes
First seen:	2022-11-15 13:50:15 UTC
Last seen:	2022-11-15 15:59:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a00837800ad7e54f9c0c0103e7562cb2 (2 x RedLineStealer, 2 x PrivateLoader)
ssdeep	98304:dIRDHjQTy8c7ZKwF0nI9D6HKM8dG70bpAf:dIRH8cvOJmG7epAf
TLSH	T1BE468C93361F62DFC006517455B3CD07BF2C03B766287C52EAA93036BED7C1A2ACA995
TrID	36.5% (.EXE) InstallShield setup (43053/19/16) 26.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 18.2% (.WLX) Total Commander Lister extension (plugin) (21500/1/6) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://116.202.2.1/

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

26f3ab3022c32610a89a7299d0074351.exe

Verdict:

Malicious activity

Analysis date:

2022-11-15 13:50:48 UTC

Tags:

installer evasion loader trojan rat redline raccoon recordbreaker amadey stealer vidar miner tofsee

Link:

https://app.any.run/tasks/df86bfd7-92e0-4c61-b05e-32c93779635d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/334332/

Detection(s):

SecuriteInfo.com.Variant.Ser.Zusy.3556.31682.14210.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Creating a file in the Windows subdirectories

Сreating synchronization primitives

Modifying a system file

DNS request

Sending an HTTP GET request

Replacing files

Sending a custom TCP request

Reading critical registry keys

Launching a service

Launching a process

Creating a file

Connecting to a non-recommended domain

Sending a UDP request

Forced system process termination

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% subdirectories

Creating a file in the Program Files subdirectories

Creating a window

Launching the default Windows debugger (dwwin.exe)

Running batch commands

Blocking the Windows Defender launch

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Adding exclusions to Windows Defender

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed shell32.dll virus zusy

Link:

https://www.filescan.io/uploads/6373994807c3f5e84a014481/reports/31799d37-26b5-476a-a3cf-e87887817c05/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Tofsee

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d8482d0-3777-4e43-8075-be3879c6690a

Result

Threat name:

PrivateLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1113834

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Creates HTML files with .exe extension (expired dropper behavior)

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Downloads files with wrong headers with respect to MIME Content-Type

Found C&C like URL pattern

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Modifies Group Policy settings

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected PrivateLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba/

Threat name:

Win32.Trojan.PrivateLoader

Status:

Malicious

First seen:

2022-11-02 15:22:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hrhuk3ueus4cevcibul323nuycu24ysz4cc3gyvragb2qkkw2g5a._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:amadey family:nymaim family:privateloader family:redline family:tofsee family:vidar botnet:937 botnet:@andriii_ff botnet:boy botnet:neruz discovery evasion infostealer loader persistence spyware stealer themida trojan upx vmprotect

Link:

https://tria.ge/reports/221115-q5tkeaaa4z/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Uses the VBS compiler for execution

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

UPX packed file

VMProtect packed file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Amadey

NyMaim

PrivateLoader

RedLine

RedLine payload

Tofsee

Vidar

Malware Config

C2 Extraction:

208.67.104.60
svartalfheim.top
jotunheim.name
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
77.73.134.241:4691
45.139.105.171
85.31.46.167
193.106.191.27:47242
185.173.36.94:31511

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4742681f-2184-43a5-abfd-fdd2e7ea4e7c

Unpacked files

SH256 hash:

1bc19796b4989912f432d22b48583a7493fb6885e421901dd7b40e70655c817d

MD5 hash:

5852e27232e32101e30f7db69bc90a32

SHA1 hash:

53c08da9c699dc7faa8957609067472b7b06dc9a

Detections:

PrivateLoader

win_privateloader_w0

win_privateloader_a0

Link:

https://www.unpac.me/results/6862814a-bf26-4a19-9d67-a7a056cacd69/

SH256 hash:

3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba

MD5 hash:

26f3ab3022c32610a89a7299d0074351

SHA1 hash:

b5937933f35fe44805887dcee9488b60f0ef8493

Link:

https://www.unpac.me/results/6862814a-bf26-4a19-9d67-a7a056cacd69/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/334332/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample