MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d4ef3090cd85b30210d3b6ab9c5f6c5cd5db7131e55c22ae7ce2bc523d0393b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d4ef3090cd85b30210d3b6ab9c5f6c5cd5db7131e55c22ae7ce2bc523d0393b
SHA3-384 hash: 2e458afbf2898382aa1b54185557cb04b1e13ee3c845aa55f1a203221fd6fa3840d9c6a63ce0a1ac174e6218ea0d5e97
SHA1 hash: 7622f8e9dd2b97d539b388baca7f69c4fd3ab230
MD5 hash: 0db9eebd1a315fc344ca59152a1c8134
humanhash: early-delta-nebraska-early
File name:0db9eebd1a315fc344ca59152a1c8134.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:356'352 bytes
First seen:2022-11-07 16:30:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash abf4213ec7714f6000f791f7695c81bf (4 x RedLineStealer)
ssdeep 6144:M51YP72nMQKeYaezstWk5eBmXnAOuw4ETwwlZgOiVxSUkW:M51YanMQKeYalNT9P4xlkW
TLSH T1BC74CF28B4D2C0B2D933143A05F8E676457DBED98B709DEB27841B6DCF206C1E63256B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
79.137.204.112:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0db9eebd1a315fc344ca59152a1c8134.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 16:32:37 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/0301bc44-0114-43ee-a683-7d1db98edd0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330064/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63695253b630a709a9c2ee52/reports/a4199ab1-9133-4b8f-9c1a-aecba2d4aef5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e0cb0aa3-e632-4e00-ad02-51f2c56db530
Result
Threat name:
Laplas Clipper, MicroClip, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107674
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 740337 Sample: AQjjTzMuUR.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 82 clipper.guru 2->82 102 Snort IDS alert for network traffic 2->102 104 Multi AV Scanner detection for domain / URL 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 9 other signatures 2->108 10 AQjjTzMuUR.exe 1 2->10         started        13 svcupdater.exe 2->13         started        signatures3 process4 dnsIp5 110 Contains functionality to inject code into remote processes 10->110 112 Writes to foreign memory regions 10->112 114 Allocates memory in foreign processes 10->114 116 Injects a PE file into a foreign processes 10->116 16 AppLaunch.exe 15 9 10->16         started        21 WerFault.exe 23 9 10->21         started        23 conhost.exe 10->23         started        84 clipper.guru 45.159.189.115, 49730, 49735, 80 HOSTING-SOLUTIONSUS Netherlands 13->84 118 Multi AV Scanner detection for dropped file 13->118 signatures6 process7 dnsIp8 76 79.137.204.112, 49721, 80 PSKSET-ASRU Russian Federation 16->76 78 api.ip.sb 16->78 80 2 other IPs or domains 16->80 64 C:\Users\user\AppData\Local\...\setup.exe, PE32 16->64 dropped 66 C:\Users\user\AppData\Local\...\ofg.exe, PE32+ 16->66 dropped 68 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 16->68 dropped 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->94 96 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->96 98 Tries to harvest and steal browser information (history, passwords, etc) 16->98 100 Tries to steal Crypto Currency Wallets 16->100 25 ofg.exe 16->25         started        29 brave.exe 16->29         started        31 setup.exe 16->31         started        70 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->70 dropped file9 signatures10 process11 file12 72 C:\Users\user\AppData\...\svcupdater.exe, PE32+ 25->72 dropped 120 Multi AV Scanner detection for dropped file 25->120 33 cmd.exe 25->33         started        122 Adds a directory exclusion to Windows Defender 29->122 36 cmd.exe 29->36         started        38 cmd.exe 29->38         started        40 powershell.exe 29->40         started        42 powershell.exe 29->42         started        74 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 31->74 dropped 124 Encrypted powershell cmdline option found 31->124 44 powershell.exe 31->44         started        signatures13 process14 signatures15 86 Uses cmd line tools excessively to alter registry or file data 33->86 88 Uses schtasks.exe or at.exe to add and modify task schedules 33->88 90 Uses powercfg.exe to modify the power settings 33->90 46 conhost.exe 33->46         started        48 schtasks.exe 33->48         started        50 conhost.exe 36->50         started        60 10 other processes 36->60 92 Modifies power options to not sleep / hibernate 38->92 52 conhost.exe 38->52         started        62 4 other processes 38->62 54 conhost.exe 40->54         started        56 conhost.exe 42->56         started        58 conhost.exe 44->58         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d4ef3090cd85b30210d3b6ab9c5f6c5cd5db7131e55c22ae7ce2bc523d0393b/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-04 16:56:00 UTC
File Type:
PE (Exe)
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvhpgcim3bntaiinhnvltrpwyxgv3nytdzk4ekxhzyv4ki6qhe5q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@foruman evasion infostealer persistence spyware upx
Link:
https://tria.ge/reports/221107-t1dvyaabcn/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
Stops running service(s)
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
79.137.204.112:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7656233c-9641-4125-ad86-640a919c616e
Unpacked files
SH256 hash:
ebe0165aab1816e85212f9ec940f4def1b395b8682139b35d9cd41e4bc7e4485
MD5 hash:
a2eaaf24593a218adba316324f970642
SHA1 hash:
38a0f5281c093f52a5448ed40c415cd1c1b5494c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c27690c3-bdd9-465a-97fd-4759fc79419e/
SH256 hash:
3d4ef3090cd85b30210d3b6ab9c5f6c5cd5db7131e55c22ae7ce2bc523d0393b
MD5 hash:
0db9eebd1a315fc344ca59152a1c8134
SHA1 hash:
7622f8e9dd2b97d539b388baca7f69c4fd3ab230
Link:
https://www.unpac.me/results/c27690c3-bdd9-465a-97fd-4759fc79419e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d4ef3090cd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d4ef3090cd85b30210d3b6ab9c5f6c5cd5db7131e55c22ae7ce2bc523d0393b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330064/

Comments