MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e7dd33a42855ba8c8a90f869cf6546653e30ab2b1899e62ec6df6337f5e786f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 2 YARA 4 File information Comments

SHA256 hash:	3e7dd33a42855ba8c8a90f869cf6546653e30ab2b1899e62ec6df6337f5e786f
SHA3-384 hash:	799b323b6a9bceeb665c71168e0784f64995a9094678a9b898c31dc3ed53b556040405e5747072162d68ee9d6639a0eb
SHA1 hash:	f292c76cb274671bda7cf69c2fe2378bd5322637
MD5 hash:	a79e90d9dd96d57aab14c39e8a6cf7ee
humanhash:	north-pizza-social-king
File name:	a79e90d9dd96d57aab14c39e8a6cf7ee.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'567'168 bytes
First seen:	2022-02-27 22:40:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	49152:KQJlHYNJEB5raNiDsYSvZY8arHr97NgTqNYsYIrKK7pUM97l3Cmn9:Hv35SAslxYNjh7NgT05YIxUMBhCE9
Threatray	651 similar samples on MalwareBazaar
TLSH	T105C5024DDB9D5AC8E9B44A7684F5A3112354BF700CCFCA0B71ED663ED1BA3952E4128C
File icon (PE):
dhash icon	b2be7a370101a3c0 (11 x Vovabol, 5 x CobaltStrike, 3 x AsyncRAT)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
212.192.241.250:10920

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
212.192.241.250:10920	https://threatfox.abuse.ch/ioc/391208/
41.225.46.176:1234	https://threatfox.abuse.ch/ioc/391209/

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/245111/

Detection(s):

SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/621bfe010cd58dbd924e45bb/reports/f0e093fe-b4f9-4d2d-84e3-1acb5d84bbf1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c256f062-999e-4cbe-8221-3cd4407b4c8f

Result

Threat name:

gzRat

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/947015

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Encrypted powershell cmdline option found

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential dropper URLs found in powershell memory

Sigma detected: Suspicious Encoded PowerShell Command Line

Yara detected Costura Assembly Loader

Yara detected gzRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e7dd33a42855ba8c8a90f869cf6546653e30ab2b1899e62ec6df6337f5e786f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-25 08:56:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 43 (46.51%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hz65goscqvn2rsfjb6djz5sumzj6gcvswgez4yxmnx3dg726pbxq._file

Verdict:

malicious

RedLineStealer

20658384b26379f13909fbfd67040a28e381b699f129d96a48a8f24d8ec09424

RedLineStealer

5521e6f534557e3b61b5d9d02b332707f21190d2ee56756308fe36e20e72c4df

RedLineStealer

b7b523a093c1f316afcbf8367d73f9a29ae16fae60cac20343656a3db4e0f496

RedLineStealer

dde87b37e8c2ac1e5fb4bc9e9292573713912a94f72fead321518703e1259c77

RedLineStealer

e9f3be0c409dfce073fc55ea97594b0ff18f7953e1793cb7aa8a7c0f87549ebb

RedLineStealer

+ 641 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:bitrat family:redline botnet:666 discovery infostealer persistence spyware stealer suricata trojan upx

Link:

https://tria.ge/reports/220227-2l36aaeabq/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

BitRAT

Modifies WinLogon for persistence

RedLine

RedLine Payload

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Malware Config

C2 Extraction:

212.192.241.250:10920
itisnicedaytodie.duckdns.org:1234

Unpacked files

SH256 hash:

584281f96470214d7f949befe612d4fa342d21815f2cccf698a48dbc7502e2f6

MD5 hash:

dd3cad0ccafebbba49b14d7e264960c5

SHA1 hash:

d3c4c99002020f5da83dd90502e5216038dc0aa2

Link:

https://www.unpac.me/results/74783b5e-f443-4709-b943-206d1442f1f3/

SH256 hash:

05e3ca63ebb3b2925de25c3dd64de11ebd5cf3be45a90563a9fb0d3dcb5ef6db

MD5 hash:

2e96bc781993e45d835b0237ca276dba

SHA1 hash:

7363a3cb95070448c0b331b035b0ff022d663fd6

Link:

https://www.unpac.me/results/74783b5e-f443-4709-b943-206d1442f1f3/

SH256 hash:

3e7dd33a42855ba8c8a90f869cf6546653e30ab2b1899e62ec6df6337f5e786f

MD5 hash:

a79e90d9dd96d57aab14c39e8a6cf7ee

SHA1 hash:

f292c76cb274671bda7cf69c2fe2378bd5322637

Link:

https://www.unpac.me/results/74783b5e-f443-4709-b943-206d1442f1f3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/3e7dd33a42855ba8c8a90f869cf6546653e30ab2b1899e62ec6df6337f5e786f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/245111/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample