MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28
SHA3-384 hash: 9b70d847bd698ef6307e38c421c13ef57946a0677f5e0285beeb21fdb91f5e5458b54bbea59d203f15492fa624175ba4
SHA1 hash: fe41b1e40de8d71b6c3ac3e0c41b3c810cc2b396
MD5 hash: 57ebbca2cea4cc68ed5e9ef73ce590d1
humanhash: don-robin-friend-michigan
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'303'296 bytes
First seen:2023-05-31 05:18:38 UTC
Last seen:2023-05-31 08:37:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f9644890a52aa13e3e994733d15fcb99 (1 x RecordBreaker, 1 x TrickBot, 1 x Smoke Loader)
ssdeep 98304:wMXX5FfnH75zqYyYqwfdQ0EA00fFmD1BNvEtzTdOMOct91nu7VbTA68jqRNGn:wkHdqY+gKRYfoBBN8t9ONQ9I7VbX8jqm
TLSH T12A3612AB61D83379E01EC43C45B3E919F2F6A55FD6D48A7B21DEBAC05F7140069C2B0A
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 86c6cece8e8caedc (1 x ArkeiStealer, 1 x RedLineStealer, 1 x Amadey)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://163.123.143.4/WW/WWW3_64.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
276
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-31 05:19:27 UTC
Tags:
evasion privateloader opendir loader rat redline gcleaner smoke trojan amadey tofsee andromeda
Link:
https://app.any.run/tasks/e53b8866-acc8-4a2c-abbe-bb7b1fcfa630

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393795/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.972.28466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Modifying a system file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Changing a file
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88756/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed shell32.dll
Link:
https://www.filescan.io/uploads/6476d8c7be5d1d21ee48d179/reports/24aa5f36-1df6-4070-8264-8ddda5702433/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b59826ba-efe1-4bd8-a396-5e4fe533a2f5
Result
Threat name:
Amadey, Fabookie, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245745
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878755 Sample: file.exe Startdate: 31/05/2023 Architecture: WINDOWS Score: 100 192 Malicious sample detected (through community Yara rule) 2->192 194 Antivirus detection for URL or domain 2->194 196 Antivirus detection for dropped file 2->196 198 24 other signatures 2->198 10 file.exe 10 47 2->10         started        15 wdgbauuo.exe 2->15         started        17 PowerControl_Svc.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 168 188.114.96.7 CLOUDFLARENETUS European Union 10->168 170 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->170 174 16 other IPs or domains 10->174 122 C:\Users\...\wh8itqqbCbAwzmZLXt_BEP5K.exe, PE32 10->122 dropped 124 C:\Users\...\wSzPi6BBcZv4eAVSUzy1sewS.exe, PE32 10->124 dropped 126 C:\Users\...\wKn4s6kh3nyXWSeuDwPTQEbx.exe, PE32 10->126 dropped 132 18 other malicious files 10->132 dropped 258 Creates HTML files with .exe extension (expired dropper behavior) 10->258 260 Disables Windows Defender (deletes autostart) 10->260 262 Modifies Group Policy settings 10->262 264 Disable Windows Defender real time protection (registry) 10->264 21 ozfbxLhFsGYDxeel8t3VxUEv.exe 18 10->21         started        24 o6ou1LjvmgCcB8CY59mlXDtM.exe 17 10->24         started        27 l5Ht00KUSHM9KNwjqqfFSIsg.exe 10->27         started        32 9 other processes 10->32 266 Detected unpacking (changes PE section rights) 15->266 268 Detected unpacking (overwrites its own PE header) 15->268 270 Writes to foreign memory regions 15->270 274 2 other signatures 15->274 30 svchost.exe 15->30         started        128 C:\Users\...\arIn60QD5Q60WYQI17E9GeG0.exe, MS-DOS 17->128 dropped 130 C:\Users\user\AppData\Local\...\WWW14[1].bmp, MS-DOS 17->130 dropped 172 20.73.194.208 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->172 272 Query firmware table information (likely to detect VMs) 19->272 file5 signatures6 process7 dnsIp8 104 C:\Users\...\3QhM8Fr6v3SHQlZiRtehU78C.exe, MS-DOS 21->104 dropped 106 C:\Users\user\AppData\Local\...\WWW14[2].bmp, MS-DOS 21->106 dropped 108 C:\...\PowerControl_Svc.exe, PE32 21->108 dropped 34 3QhM8Fr6v3SHQlZiRtehU78C.exe 21->34         started        154 149.154.167.99 TELEGRAMRU United Kingdom 24->154 110 C:\Users\...\alSP2vUMFFIPHSLMdIUCnHI5.exe, MS-DOS 24->110 dropped 118 2 other malicious files 24->118 dropped 39 alSP2vUMFFIPHSLMdIUCnHI5.exe 24->39         started        41 schtasks.exe 24->41         started        240 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->240 242 Maps a DLL or memory area into another process 27->242 244 Checks if the current machine is a virtual machine (disk enumeration) 27->244 246 Creates a thread in another existing process (thread injection) 27->246 43 explorer.exe 27->43 injected 156 185.185.70.73 SPRINTHOSTRU Russian Federation 30->156 158 20.81.111.85 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->158 160 40.93.207.7 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->160 248 System process connects to network (likely due to code injection or exploit) 30->248 162 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 32->162 164 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 32->164 166 7 other IPs or domains 32->166 112 C:\Users\user\AppData\Local\...\wdgbauuo.exe, PE32 32->112 dropped 114 C:\Users\user\AppData\Local\...\is-F8DLD.tmp, PE32 32->114 dropped 116 C:\Users\user\AppData\Local\...\v3081066.exe, PE32 32->116 dropped 120 2 other malicious files 32->120 dropped 250 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->250 252 Disables Windows Defender (deletes autostart) 32->252 254 Tries to harvest and steal browser information (history, passwords, etc) 32->254 256 5 other signatures 32->256 45 v3081066.exe 32->45         started        47 is-F8DLD.tmp 32->47         started        49 AppLaunch.exe 32->49         started        51 8 other processes 32->51 file9 signatures10 process11 dnsIp12 148 2 other IPs or domains 34->148 86 C:\Users\...\rBtM71PPGpvQOx0V6Vx4Z0Ql.exe, PE32 34->86 dropped 94 16 other malicious files 34->94 dropped 200 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->200 202 Query firmware table information (likely to detect VMs) 34->202 204 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->204 224 5 other signatures 34->224 150 8 other IPs or domains 39->150 88 C:\Users\...\qW415bm_pM0usLz_Npnq70tL.exe, PE32 39->88 dropped 90 C:\Users\...\mZPQFYRgOSW2nbGeanCgzqBj.exe, PE32+ 39->90 dropped 96 16 other malicious files 39->96 dropped 206 Creates HTML files with .exe extension (expired dropper behavior) 39->206 208 Disables Windows Defender (deletes autostart) 39->208 210 Tries to evade debugger and weak emulator (self modifying code) 39->210 53 conhost.exe 41->53         started        140 187.212.177.10 UninetSAdeCVMX Mexico 43->140 142 217.174.148.28 TELEPOINTBG Bulgaria 43->142 152 3 other IPs or domains 43->152 98 13 other malicious files 43->98 dropped 212 System process connects to network (likely due to code injection or exploit) 43->212 214 Benign windows process drops PE files 43->214 216 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->216 55 rundll32.exe 43->55         started        57 rundll32.exe 43->57         started        100 2 other malicious files 45->100 dropped 59 v3725418.exe 45->59         started        102 8 other files (7 malicious) 47->102 dropped 62 Rec531.exe 47->62         started        144 157.254.164.98 BEANFIELDCA United States 49->144 218 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->218 220 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->220 222 Tries to steal Crypto Currency Wallets 49->222 146 239.255.255.250 unknown Reserved 51->146 92 C:\Windows\SysWOW64\...\wdgbauuo.exe (copy), PE32 51->92 dropped 65 chrome.exe 51->65         started        67 conhost.exe 51->67         started        69 conhost.exe 51->69         started        71 4 other processes 51->71 file13 signatures14 process15 dnsIp16 134 C:\Users\user\AppData\Local\...\b9792663.exe, PE32 59->134 dropped 136 C:\Users\user\AppData\Local\...\a4837735.exe, PE32 59->136 dropped 73 a4837735.exe 59->73         started        76 b9792663.exe 59->76         started        178 45.12.253.56 CMCSUS Germany 62->178 180 45.12.253.72 CMCSUS Germany 62->180 182 45.12.253.75 CMCSUS Germany 62->182 138 C:\Users\user\AppData\Roaming\...\rCRh4d.exe, PE32 62->138 dropped 79 rCRh4d.exe 62->79         started        184 142.250.203.100 GOOGLEUS United States 65->184 186 142.250.203.109 GOOGLEUS United States 65->186 188 5 other IPs or domains 65->188 file17 process18 dnsIp19 226 Writes to foreign memory regions 73->226 228 Allocates memory in foreign processes 73->228 230 Injects a PE file into a foreign processes 73->230 81 AppLaunch.exe 73->81         started        84 conhost.exe 73->84         started        176 83.97.73.127 UNACS-AS-BG8000BurgasBG Germany 76->176 232 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 76->232 234 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 76->234 236 Tries to harvest and steal browser information (history, passwords, etc) 76->236 238 Tries to steal Crypto Currency Wallets 76->238 signatures20 process21 signatures22 190 Disable Windows Defender notifications (registry) 81->190
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-05-31 05:19:06 UTC
File Type:
PE+ (Exe)
Extracted files:
30
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwhkwcms6py3kzmgmsnql3ytlzeoblwxjawlwxqtf6ppzkz6niua._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230531-fzt9msda38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28
MD5 hash:
57ebbca2cea4cc68ed5e9ef73ce590d1
SHA1 hash:
fe41b1e40de8d71b6c3ac3e0c41b3c810cc2b396
Link:
https://www.unpac.me/results/16d8e117-39f6-4811-8f25-771e6ee757ea/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d8eab0992f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/393795/
  
URLhaus
https://urlhaus.abuse.ch/url/2647118/

Comments