MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab
SHA3-384 hash: 4bdf3596e4e725d59aaca090b5bf6fba6c3c69257bdfe60c65040709d66a70a0dfe620b980e630581ab1a17785601926
SHA1 hash: ccb5c7d3dc8344bbad401de8b640a07dfe9aa3b2
MD5 hash: ca252aa3ba96382a26c7c82e4b847b84
humanhash: white-oscar-batman-charlie
File name:CA252AA3BA96382A26C7C82E4B847B84.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:761'898 bytes
First seen:2021-07-12 19:12:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'501 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:d/QiQXCSi5m+ksmpk3U9j0IHW2vsoxvjFEOTb9WmZX/8shzdsY4CpHPhnFc:VQi3Xc6m6UR0Ipp1hf39Wkv8xwJK
Threatray 2'438 similar samples on MalwareBazaar
TLSH T10EF40229B649D032D4915AB09E32E0B14A337F682D79644637CE7F9F3F362915029BE3
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.198.57.69:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.198.57.69:80 https://threatfox.abuse.ch/ioc/159867/

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
49d90048_Main-lnstall-v3.0.zip
Verdict:
Malicious activity
Analysis date:
2021-07-09 12:52:52 UTC
Tags:
loader evasion autoit trojan stealer vidar opendir rat redline keylogger agenttesla phishing ficker netsupport unwanted
Link:
https://app.any.run/tasks/5fc3f989-653d-4888-8777-b6b67fe231b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Adware
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171177/
Detection(s):
Win.Malware.Passteal-9853623-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69fac1fb-579f-4095-9d83-46babed9d5ab
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815109
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample is protected by VMProtect
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 447520 Sample: QppmM7JmZd.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 122 www.profitabletrustednetwork.com 2->122 124 www.directdexchange.com 2->124 126 27 other IPs or domains 2->126 178 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->178 180 Multi AV Scanner detection for domain / URL 2->180 182 Antivirus detection for URL or domain 2->182 186 10 other signatures 2->186 12 QppmM7JmZd.exe 2 2->12         started        15 Larilujoshy.exe 2->15         started        signatures3 184 Performs DNS queries to domains with low reputation 124->184 process4 dnsIp5 116 C:\Users\user\AppData\...\QppmM7JmZd.tmp, PE32 12->116 dropped 18 QppmM7JmZd.tmp 3 19 12->18         started        176 superstationcity.com 194.163.135.248, 49751, 80 NEXINTO-DE Germany 15->176 118 C:\Program Files (x86)\...\Windows Update.exe, PE32 15->118 dropped 120 C:\...\Windows Update.exe.config, XML 15->120 dropped 22 Windows Update.exe 15->22         started        file6 process7 dnsIp8 128 requested404.com 63.250.33.126, 49727, 49735, 80 NAMECHEAP-NETUS United States 18->128 88 C:\Users\user\AppData\...\board_1564501.exe, PE32 18->88 dropped 90 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 18->90 dropped 92 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->92 dropped 94 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->94 dropped 24 board_1564501.exe 22 20 18->24         started        130 privateinvestig8tor.com 22->130 132 connectini.net 22->132 file9 process10 dnsIp11 148 iplogger.org 88.99.66.31, 443, 49737, 49851 HETZNER-ASDE Germany 24->148 150 connectini.net 162.0.210.44, 443, 49733, 49741 ACPCA Canada 24->150 152 3 other IPs or domains 24->152 108 C:\Users\user\AppData\...\Myciladepo.exe, PE32 24->108 dropped 110 C:\Users\user\AppData\...\Vazhuhihywe.exe, PE32 24->110 dropped 112 C:\Program Files (x86)\...\Larilujoshy.exe, PE32 24->112 dropped 114 3 other files (2 malicious) 24->114 dropped 190 Detected unpacking (overwrites its own PE header) 24->190 29 Myciladepo.exe 14 5 24->29         started        33 Vazhuhihywe.exe 24->33         started        36 SystemMonitor.exe 2 24->36         started        file12 signatures13 process14 dnsIp15 168 connectini.net 29->168 192 Multi AV Scanner detection for dropped file 29->192 38 iexplore.exe 29->38         started        41 iexplore.exe 29->41         started        43 iexplore.exe 29->43         started        54 57 other processes 29->54 170 htagzdownload.pw 33->170 172 ticaus.pw 111.90.146.149, 49823, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 33->172 174 19 other IPs or domains 33->174 82 C:\Users\user\AppData\Local\...\md6_6ydj.exe, PE32 33->82 dropped 84 C:\Users\user\AppData\Local\...\JoSetp.exe, PE32 33->84 dropped 194 Performs DNS queries to domains with low reputation 33->194 45 cmd.exe 33->45         started        47 cmd.exe 33->47         started        49 cmd.exe 33->49         started        56 6 other processes 33->56 86 C:\Users\user\AppData\...\SystemMonitor.tmp, PE32 36->86 dropped 51 SystemMonitor.tmp 27 18 36->51         started        file16 signatures17 process18 dnsIp19 134 www.cloud-security.xyz 38->134 144 2 other IPs or domains 38->144 65 2 other processes 38->65 136 www.cloud-security.xyz 41->136 138 cloud-security.xyz 41->138 58 iexplore.exe 41->58         started        140 www.cloud-security.xyz 43->140 142 cloud-security.xyz 43->142 61 iexplore.exe 43->61         started        67 2 other processes 45->67 70 2 other processes 47->70 73 2 other processes 49->73 96 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 51->96 dropped 98 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 51->98 dropped 100 C:\Program Files (x86)\...\is-GAB2G.tmp, PE32 51->100 dropped 102 C:\Program Files (x86)\...\is-FT4F7.tmp, PE32 51->102 dropped 63 SystemMonitor.exe 51->63         started        146 30 other IPs or domains 54->146 75 24 other processes 54->75 77 7 other processes 56->77 file20 process21 dnsIp22 156 6 other IPs or domains 58->156 158 5 other IPs or domains 61->158 154 adsaro.net 161.35.179.108, 443, 49763, 49764 DIGITALOCEAN-ASNUS United States 65->154 160 10 other IPs or domains 65->160 162 3 other IPs or domains 67->162 104 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 67->104 dropped 79 jfiag3g_gg.exe 67->79         started        164 2 other IPs or domains 70->164 106 C:\Users\user\Documents\...\md6_6ydj.exe, PE32 70->106 dropped 188 Drops PE files to the document folder of the user 70->188 166 13 other IPs or domains 75->166 file23 signatures24 process25 signatures26 196 Tries to harvest and steal browser information (history, passwords, etc) 79->196
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 00:58:00 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxxp2hy7o5wmcsmtkcfoegtegs2jnnenpqoil3ejevzofjleoovq._file
Verdict:
suspicious
Similar samples:
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
RedLineStealer
2df4e3a4d7b6e5f33ef54c73ff86ffc76d8667ff587756a2887bf91687ab46a9
RedLineStealer
361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f
RedLineStealer
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
RedLineStealer
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
RedLineStealer
4905fecf9b5d2057f495dcd21e81e03db0114af804fe59931cd901fbfbde5c9a
RedLineStealer
531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4
RedLineStealer
8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884
RedLineStealer
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
RedLineStealer
f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9
RedLineStealer
+ 2'428 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader botnet:1 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210712-tj98z3sbqx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
65.21.103.69:36491
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/afc3bab8-748b-46c0-bc7d-85c959e72799/
SH256 hash:
a59c3537722ecbc995f04f80e7d1b2cdc44371cd15d61091d1dbe7f2a870012d
MD5 hash:
0ba34ab962f8bde23740e65505155b8a
SHA1 hash:
135806cf4842c71fe3a38a7dba616958562dc5c0
Link:
https://www.unpac.me/results/afc3bab8-748b-46c0-bc7d-85c959e72799/
SH256 hash:
3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab
MD5 hash:
ca252aa3ba96382a26c7c82e4b847b84
SHA1 hash:
ccb5c7d3dc8344bbad401de8b640a07dfe9aa3b2
Link:
https://www.unpac.me/results/afc3bab8-748b-46c0-bc7d-85c959e72799/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171177/

Comments