MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ff7e61c6dd81be365d0f573f264f7e4a9ce736e17a6f8b978bc680761f6b702. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ff7e61c6dd81be365d0f573f264f7e4a9ce736e17a6f8b978bc680761f6b702
SHA3-384 hash: a3a2b733e691f61b0248b01425e95f203265c271f8dc9c488befd566efa1a033a798a9d3731b56df9756d210ab10f060
SHA1 hash: f54e870cd345708ea32baa7bdb85679987552117
MD5 hash: 04588356774cdb58119f9228ce8da2f6
humanhash: magazine-queen-mike-michigan
File name:MSCUSetup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:17'699'044 bytes
First seen:2023-05-20 15:16:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (263 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 196608:/d6gM4aqPWt7vGN+SwBnZCd2rI2DUcagDFR83nhT26if4fUdq1qAAhk7CIdpFRPo:gRqPWY+S6kUWtmFK3nGf4am3FRrab
Threatray 277 similar samples on MalwareBazaar
TLSH T1AA07333B72A4723FD86A0B3145339260A97BBBA1A81B8C1F57F0450CDF664711E3FA56
TrID 59.6% (.EXE) Inno Setup installer (109740/4/30)
22.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
3.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8026d9d4d4682100 (1 x RedLineStealer)
Reporter JaffaCakes118
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MSCUSetup.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-20 15:45:30 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1d8a0083-79a0-4d7c-a409-f384101ce961

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan-Dropper.MSIL.Agent.205.29266.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/86079/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6468e46f22ca137b51218495/reports/f674297b-b21d-4e43-a158-c470b907904e/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/3ff7e61c6dd81be365d0f573f264f7e4a9ce736e17a6f8b978bc680761f6b702
Result
Verdict:
MALICIOUS
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9dcd5d98-7b1a-4ca8-b5d6-989232440bc2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/1238060
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Creates an undocumented autostart registry key
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ff7e61c6dd81be365d0f573f264f7e4a9ce736e17a6f8b978bc680761f6b702/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-20 15:17:07 UTC
File Type:
PE (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h736mhdn3an6gzoq6vz7ezhx4su4443oc6tprolyxruaoypww4ba._file
Verdict:
suspicious
Similar samples:
21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9
RedLineStealer
345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8
RedLineStealer
4cdace17e01f554f4fc14414d4a634136c7c3afe58d09a7eee935ebeefc17540
RedLineStealer
8b653f44f8bf2a4695beb27e5530632149b00ce19b2039c770c4929fdf9cb7f0
RedLineStealer
af7d9d69a2dfbcedc5d2e94cdb681a8ac5356131486129a4ba505a3dc6f2411e
RedLineStealer
b715f22a9e37049d09b06c26ca899c4be3c6c21386f70d6d357b3bd481ee1794
RedLineStealer
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
RedLineStealer
+ 267 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230520-sn192ada58/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a9580614ec40930ab0a188b1a0cf978fb02eea3d938df1d539c424ead3b52c4a
MD5 hash:
ec693cd4b8039ab8a9c07e58b6052cfe
SHA1 hash:
b0e0521e74114a92a00fca0669495db7179ce121
Link:
https://www.unpac.me/results/9d7782d8-caa8-4452-aaba-339c5258a250/
SH256 hash:
3ff7e61c6dd81be365d0f573f264f7e4a9ce736e17a6f8b978bc680761f6b702
MD5 hash:
04588356774cdb58119f9228ce8da2f6
SHA1 hash:
f54e870cd345708ea32baa7bdb85679987552117
Link:
https://www.unpac.me/results/9d7782d8-caa8-4452-aaba-339c5258a250/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ff7e61c6dd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ff7e61c6dd81be365d0f573f264f7e4a9ce736e17a6f8b978bc680761f6b702

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments