MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3df3b7abf812cc4840623c526ac35442a5ceb2617cbc508719ad181e111cfeff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	3df3b7abf812cc4840623c526ac35442a5ceb2617cbc508719ad181e111cfeff
SHA3-384 hash:	f2e86ab1ffb70c439787320793af51aa907a69ee980346d01b88285f30b35b5524fc83b62a3dc92133dad8aa6ab0e0d6
SHA1 hash:	ac7d5abe448794e84e248f56298d884340b35a02
MD5 hash:	f4fdb40091f9a921be3878fbcd7f8740
humanhash:	romeo-whiskey-pip-sad
File name:	roundup.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'350'656 bytes
First seen:	2024-02-21 01:38:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep	24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aarZhjJ9JCMCEV0xK:0TvC/MTQYxsWR7aarZhjJzCEV0
Threatray	1'498 similar samples on MalwareBazaar
TLSH	T143558D333390A03BFED679F21ACDE3764A7C6D550E27B51E43D82D667A700A27139262
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	71d8b4e4cccce871 (1 x AgentTesla, 1 x RedLineStealer, 1 x Formbook)
Reporter	smica83
Tags:	exe HUN RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/477187/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Connection attempt to an infection source

Query of malicious DNS domain

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit fingerprint keylogger lolbin packed shell32

Link:

https://www.filescan.io/uploads/65d55437c5e1a083fbf36d8f/reports/8f905baf-7818-4610-aea9-3e2dc7f48441/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/3df3b7abf812cc4840623c526ac35442a5ceb2617cbc508719ad181e111cfeff

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/df7a56ae-1933-40f6-bce6-de9dfef36113

Result

Threat name:

PureLog Stealer, RedLine, Snake Keylogge

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1395797

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3df3b7abf812cc4840623c526ac35442a5ceb2617cbc508719ad181e111cfeff

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3df3b7abf812cc4840623c526ac35442a5ceb2617cbc508719ad181e111cfeff/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-02-20 10:24:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 38 (39.47%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hxz3pk7yclgeqqdchrjgvq2uiks45mtbps6fbbyzvumb4ei4737q._file

Verdict:

malicious

RedLineStealer

57d916eab0857ac4c801805981105aa12540775ebd09f0abf53d8a8cde849c95

RedLineStealer

719b90e90ec80dc97228c3bf8116c9a45fd3636a93e4d0c6917fb8de7f719ef8

RedLineStealer

9e3efbcbbc7329e7b89e1dfbd094593debfd57fcb860f5f14c5a0ff97e7c1293

RedLineStealer

a1f50fdf9ca6e035abda6da480358bf01c6b1b5edc32da2da59b16eaf5fafac5

RedLineStealer

b079b00c1b21ed95667a8adb41808e9578a95cc5a4700f42d8cec8fe8ad399f9

RedLineStealer

dd808e48fe04077963b0b9b58b6d162499d8759acf3d046c4c0e1874459f813e

RedLineStealer

+ 1'488 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/240221-b2yydshg35/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

c55faae1a4a78db7e4bbf4fee7a336483ed6d86fec5499810cb7ea9cfd819e0a

MD5 hash:

43cc606005a294f06271386f28b3ea32

SHA1 hash:

8e55c6e34ed22c804f8e34de0fbbf919d6230018

Detections:

snake_keylogger

win_masslogger_w0

win_404keylogger_g1

MAL_Envrial_Jan18_1

MALWARE_Win_SnakeKeylogger

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Link:

https://www.unpac.me/results/fe3a73c0-2f6f-4a0a-9d8b-23f21968869d/

SH256 hash:

3cd1e2a04c2e3dbde1cf578a539650ee395a6cd71c61c012884937df6d2cdf00

MD5 hash:

fbc17ce031961b5ab1899be070d35cea

SHA1 hash:

14d1dcee17613dcfe06c27edfdc172a3610e78c3

Detections:

snake_keylogger

win_masslogger_w0

win_404keylogger_g1

MAL_Envrial_Jan18_1

MALWARE_Win_SnakeKeylogger

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

RedLine_Campaign_June2021

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Link:

https://www.unpac.me/results/fe3a73c0-2f6f-4a0a-9d8b-23f21968869d/

SH256 hash:

2da5aa1868ea8b4c4904e336b9d45f611511d6a91756ccd24e0b6fed12a12c25

MD5 hash:

02de00e97cae07f94f746217ffeb9493

SHA1 hash:

bd0aac7ede9b5506778c6d83549298c5db57d57e

Detections:

MAL_Malware_Imphash_Mar23_1

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/fe3a73c0-2f6f-4a0a-9d8b-23f21968869d/

SH256 hash:

3df3b7abf812cc4840623c526ac35442a5ceb2617cbc508719ad181e111cfeff

MD5 hash:

f4fdb40091f9a921be3878fbcd7f8740

SHA1 hash:

ac7d5abe448794e84e248f56298d884340b35a02

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/fe3a73c0-2f6f-4a0a-9d8b-23f21968869d/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3df3b7abf812/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3df3b7abf812cc4840623c526ac35442a5ceb2617cbc508719ad181e111cfeff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/477187/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample