MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d568dc9ee07bf5ebe9314d2aea822b1bf4de89110e7c027e151bde134b35ba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d568dc9ee07bf5ebe9314d2aea822b1bf4de89110e7c027e151bde134b35ba5
SHA3-384 hash: 02737c37cfedc4cf5f55fa258fa10cd6693224d10327b60263cc951f77425bc5449162d60450b21a69d1c0e68ff4e933
SHA1 hash: bbd5cf02858f30b4bb329b0a12c4d844656d11f3
MD5 hash: 79a24a331ec7b5d3b1cf688cc64d995a
humanhash: coffee-low-nine-muppet
File name:qqq.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:861'184 bytes
First seen:2022-10-19 01:27:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:AFejHjpj47GLpGLMMMHMMMvMMZMMMKzbKXOMMHMMMvMMZMMMKzbKX7GLMMMHMMM3:AEjDpj4qMMHMMMvMMZMMMFOMMHMMMvMf
Threatray 144 similar samples on MalwareBazaar
TLSH T1A205C0C2F345E8A4D46945318833CA2645A3AD2E8D24463B31EE7B1E3E723D32677D5B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c271cc9cae8de972 (24 x Skeeeyah, 7 x RedLineStealer, 2 x RecordBreaker)
Reporter r3dbU7z
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
qqq.exe
Verdict:
Malicious activity
Analysis date:
2022-10-19 05:58:03 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/9f309fde-39eb-42a2-99a2-27f31106624b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/321539/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.59144.18879.597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/634f52a31b976e20e2c2a7d4/reports/8bcd778a-6dd5-4a64-8a4c-5e8623ec4c9f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/977abbe7-0801-43ca-a734-35a3e2e2d4b6
Result
Threat name:
RedLine, YTStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093136
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected YTStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725758 Sample: qqq.exe Startdate: 19/10/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 6 other signatures 2->46 9 qqq.exe 3 2->9         started        process3 file4 30 C:\Users\user\AppData\Local\...\qqq.exe.log, CSV 9->30 dropped 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 Injects a PE file into a foreign processes 9->58 13 vbc.exe 15 7 9->13         started        signatures5 process6 dnsIp7 34 194.36.177.60, 49696, 81 SPEEDNET-ASUA Czech Republic 13->34 36 31.41.244.146, 49698, 80 AEROEXPRESS-ASRU Russian Federation 13->36 38 api.ip.sb 13->38 32 C:\Users\user\AppData\...\22windows_64.exe, PE32+ 13->32 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->60 62 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->62 64 Tries to harvest and steal browser information (history, passwords, etc) 13->64 66 Tries to steal Crypto Currency Wallets 13->66 18 22windows_64.exe 13->18         started        file8 signatures9 process10 signatures11 48 Antivirus detection for dropped file 18->48 50 Multi AV Scanner detection for dropped file 18->50 21 powershell.exe 11 18->21         started        24 powershell.exe 5 18->24         started        process12 signatures13 52 Queries memory information (via WMI often done to detect virtual machines) 21->52 26 conhost.exe 21->26         started        28 conhost.exe 24->28         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d568dc9ee07bf5ebe9314d2aea822b1bf4de89110e7c027e151bde134b35ba5/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 16:43:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
361
AV detection:
17 of 40 (42.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvli3spoa67v5putctjk5kbcwg7u32ercdt4aj7bkg66cnftlosq._file
Verdict:
malicious
Similar samples:
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
RedLineStealer
2d241ce3d2981c29545a11c13ec0ecd7e021759d35dea0c762bb0c63bb1b555d
RedLineStealer
3595487037dcf807ce3a99232518787290b0a37e56eb63ee62901929b9974277
RedLineStealer
5a023cfa4b4784d7155b39f4bfe4cbfad7e180c99a927dea04445cec4d9d7275
RedLineStealer
6d5320cd6e4cfc208f6703fff254b6f1363e1afdf7d8e77155549a674fa3a263
RedLineStealer
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb
RedLineStealer
cecc58f7e5b69e0b2159f68ca5ee38f36b59a0adbe36f8a93e791f8788488fb5
RedLineStealer
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
RedLineStealer
fae6e271a14675614d3d808555963b31b8e03bad2400f87f2cd2767628b077e5
RedLineStealer
+ 134 additional samples on MalwareBazaar
Result
Malware family:
ytstealer
Create hunting rule
Score:
  10/10
Tags:
family:redline family:ytstealer botnet:crypt_cryptex_v1 infostealer spyware stealer upx
Link:
https://tria.ge/reports/221019-bvntvaehfr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine payload
YTStealer
YTStealer payload
Malware Config
C2 Extraction:
194.36.177.60:81
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b02e07d-dfbe-4e7f-8fcc-7c81d315f36d
Unpacked files
SH256 hash:
ffa13eb41f6b618dd9cec764486fba7f42bb490283f1670a59d7c48dff42e80b
MD5 hash:
1c722928170c07c71715f595ee85e6e1
SHA1 hash:
60c0bd3e2d14ad588c7ccedf9c2afa3efc83b2bb
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/84b8983e-dcf2-4e87-9db0-28f5c2949a63/
Parent samples :
3d568dc9ee07bf5ebe9314d2aea822b1bf4de89110e7c027e151bde134b35ba5
2a1276d50bffabe2b41cd6c789ef1b5df02080d1ed1c87acce6bcc91f0ac29f8
9cf0a5672e9539d3ff90d6365c28f2a8e2ba4c73b86f7eb3665ed8ae394f91c3
SH256 hash:
3d568dc9ee07bf5ebe9314d2aea822b1bf4de89110e7c027e151bde134b35ba5
MD5 hash:
79a24a331ec7b5d3b1cf688cc64d995a
SHA1 hash:
bbd5cf02858f30b4bb329b0a12c4d844656d11f3
Link:
https://www.unpac.me/results/84b8983e-dcf2-4e87-9db0-28f5c2949a63/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d568dc9ee07/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d568dc9ee07bf5ebe9314d2aea822b1bf4de89110e7c027e151bde134b35ba5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3d568dc9ee07bf5ebe9314d2aea822b1bf4de89110e7c027e151bde134b35ba5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/321539/

Comments