MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ecd5c3536415bb2abfc0c5854323340a7e049d83da7f5b7f6e3c4c4278ed68e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ecd5c3536415bb2abfc0c5854323340a7e049d83da7f5b7f6e3c4c4278ed68e
SHA3-384 hash: bef8ffe89c04d90ac1834b669911bac3b0b705ed11b74a53aa77d25c3ffdf6a437889f125bcced4c2fe967407ddf659f
SHA1 hash: 009cc727ff53daaa72881b0eba30c87c3859ba53
MD5 hash: c57ab3e0fe6035331aeb01835c6cdfc8
humanhash: alpha-black-autumn-two
File name:fl_patch_installer_win64_20.9.0.2748.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'597'736 bytes
First seen:2022-01-09 13:18:12 UTC
Last seen:2022-01-09 14:45:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:47XTWq96ji/vMiXOnxw4fByyS+aTBd4q5Unq:47yqgiHMieq4fEyS+mwqIq
Threatray 571 similar samples on MalwareBazaar
TLSH T111F5337D44256C08DB172A399BC50DBBF995D85FD8D86E96F28DDE0AC3C08CDAC5602C
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fl_patch_installer_win64_20.9.0.2748.exe
Verdict:
Malicious activity
Analysis date:
2022-01-09 13:17:53 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/bd41a86e-9c36-4fce-a553-d5d14459bee0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217894/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61dae0c802e388f9fdba468c/reports/12f94ebd-0616-4121-ba41-56a933f8eab6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32e8ba48-559a-415c-a844-faf4ccc5f403
Result
Threat name:
BitCoin Miner RedLine SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917284
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549762 Sample: fl_patch_installer_win64_20... Startdate: 09/01/2022 Architecture: WINDOWS Score: 100 94 Found malware configuration 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 Yara detected SilentXMRMiner 2->98 100 5 other signatures 2->100 13 fl_patch_installer_win64_20.9.0.2748.exe 2->13         started        16 gdics.exe 2->16         started        process3 signatures4 138 Writes to foreign memory regions 13->138 140 Allocates memory in foreign processes 13->140 142 Tries to detect virtualization through RDTSC time measurements 13->142 144 Injects a PE file into a foreign processes 13->144 18 AppLaunch.exe 15 7 13->18         started        146 Multi AV Scanner detection for dropped file 16->146 148 Creates a thread in another existing process (thread injection) 16->148 23 conhost.exe 3 16->23         started        process5 dnsIp6 86 quricalill.xyz 195.226.192.126, 49746, 81 GMHOSTUA Ukraine 18->86 88 cdn.discordapp.com 162.159.133.233, 443, 49750 CLOUDFLARENETUS United States 18->88 90 api.ip.sb 18->90 80 C:\Users\user\AppData\Local\Temp\retrik.exe, PE32+ 18->80 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->112 114 Performs DNS queries to domains with low reputation 18->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->116 120 2 other signatures 18->120 25 retrik.exe 18->25         started        118 Adds a directory exclusion to Windows Defender 23->118 28 cmd.exe 1 23->28         started        file7 signatures8 process9 signatures10 128 Multi AV Scanner detection for dropped file 25->128 130 Writes to foreign memory regions 25->130 132 Allocates memory in foreign processes 25->132 134 Creates a thread in another existing process (thread injection) 25->134 30 conhost.exe 4 25->30         started        136 Adds a directory exclusion to Windows Defender 28->136 34 conhost.exe 28->34         started        36 powershell.exe 28->36         started        38 powershell.exe 28->38         started        process11 file12 82 C:\Windows\System32\gdics.exe, PE32+ 30->82 dropped 150 Adds a directory exclusion to Windows Defender 30->150 40 cmd.exe 1 30->40         started        43 cmd.exe 1 30->43         started        45 cmd.exe 1 30->45         started        signatures13 process14 signatures15 122 Drops executables to the windows directory (C:\Windows) and starts them 40->122 47 gdics.exe 40->47         started        50 conhost.exe 40->50         started        124 Uses schtasks.exe or at.exe to add and modify task schedules 43->124 126 Adds a directory exclusion to Windows Defender 43->126 52 powershell.exe 21 43->52         started        54 conhost.exe 43->54         started        56 powershell.exe 43->56         started        58 conhost.exe 45->58         started        60 schtasks.exe 1 45->60         started        process16 signatures17 152 Writes to foreign memory regions 47->152 154 Allocates memory in foreign processes 47->154 156 Creates a thread in another existing process (thread injection) 47->156 62 conhost.exe 4 47->62         started        process18 file19 84 C:\Windows\System32\...\sihost32.exe, PE32+ 62->84 dropped 158 Drops executables to the windows directory (C:\Windows) and starts them 62->158 160 Adds a directory exclusion to Windows Defender 62->160 66 sihost32.exe 62->66         started        69 cmd.exe 62->69         started        signatures20 process21 signatures22 102 Multi AV Scanner detection for dropped file 66->102 104 Writes to foreign memory regions 66->104 106 Allocates memory in foreign processes 66->106 108 Creates a thread in another existing process (thread injection) 66->108 71 conhost.exe 66->71         started        110 Adds a directory exclusion to Windows Defender 69->110 73 powershell.exe 69->73         started        76 conhost.exe 69->76         started        78 powershell.exe 69->78         started        process23 dnsIp24 92 192.168.2.1 unknown unknown 73->92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ecd5c3536415bb2abfc0c5854323340a7e049d83da7f5b7f6e3c4c4278ed68e/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 13:19:22 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3gvynjwifn3fk74brmfimrtict6asoyhwt7ln7w4pcmij4o22ha._file
Verdict:
malicious
Similar samples:
0dee20eae747781c183499abc341feded87a5a6325f0a9b789067d1b6377ef89
RedLineStealer
1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334
RedLineStealer
36a143318fa67627e0b9351d7add36540248fc73b147a83cff6d97f2c39b63c0
RedLineStealer
3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f
RedLineStealer
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
RedLineStealer
92561a2126c31ee34edef41557d2c312a3e1f4b9909c99d8ca23d3cae19ee173
RedLineStealer
a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf
RedLineStealer
b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94
RedLineStealer
e59a89138d5d7d96b4336b9323be581e35b3056180cc4fcf2844027534d5c189
RedLineStealer
f3940f6c65cda4da86d1f9712223b8a278cd0dc90f701938a38a61ff74c66c66
RedLineStealer
+ 561 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220109-qkhmeadec2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
96095b690c2be25ddbbf24d64129fdf8406ed5bb8c4e34c18f9496c801d0fec5
MD5 hash:
8061a61678183cb11d7fca83239f50a9
SHA1 hash:
01fdfe70f547abc845f0b1114672318606421fe8
Link:
https://www.unpac.me/results/4ce211ce-2c8c-440f-b7f7-de0427fc4042/
SH256 hash:
613affa6ada8a7c5b364346f212193d9d87ca7a4708a5708f8a35f9ef1f185eb
MD5 hash:
98dc5b5ed7ebb748f429ef10638fd1b2
SHA1 hash:
0cee8154b738d5da6dfcffa029a2e1ab38a68cd0
Link:
https://www.unpac.me/results/4ce211ce-2c8c-440f-b7f7-de0427fc4042/
SH256 hash:
3ecd5c3536415bb2abfc0c5854323340a7e049d83da7f5b7f6e3c4c4278ed68e
MD5 hash:
c57ab3e0fe6035331aeb01835c6cdfc8
SHA1 hash:
009cc727ff53daaa72881b0eba30c87c3859ba53
Link:
https://www.unpac.me/results/4ce211ce-2c8c-440f-b7f7-de0427fc4042/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3ecd5c353641/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ecd5c3536415bb2abfc0c5854323340a7e049d83da7f5b7f6e3c4c4278ed68e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3ecd5c3536415bb2abfc0c5854323340a7e049d83da7f5b7f6e3c4c4278ed68e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217894/

Comments