MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3a5623bd0649f324b19c882ff48f76fe7aa674352d2f470ed35313cfb7ea92a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3a5623bd0649f324b19c882ff48f76fe7aa674352d2f470ed35313cfb7ea92a
SHA3-384 hash: 0c375a5dd126adac23b186db4cef3cc5ebb4b75e59059a4998241d203aee00d80a190559975be94bcabe3c46fea4ccba
SHA1 hash: 89eabd97ea7285f1038a6966194bbea1b97a97b4
MD5 hash: 92899ca104e6ac22954956977522eebb
humanhash: fish-earth-july-stairway
File name:92899ca104e6ac22954956977522eebb
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'246'144 bytes
First seen:2023-07-25 04:16:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:39/bSahcEmWfxHd4zIlry42KrdABnd7gYbShZWCFK:oahwWf34wrNrSBd0CShZ
Threatray 2'103 similar samples on MalwareBazaar
TLSH T183A544841FB30452BC308667C8D3741AED2EEAB7C45866A62655B31CCE23FC86B7D61D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71f0ccaa888ec8f0 (1 x DarkCloud, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
92899ca104e6ac22954956977522eebb
Verdict:
Malicious activity
Analysis date:
2023-07-25 04:19:18 UTC
Tags:
redline
Link:
https://app.any.run/tasks/ce657006-1add-46cb-b9d0-a42a0e82fcc4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/431859/
Detection(s):
SecuriteInfo.com.Variant.Ransom.Loki.8883.14768.20417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/a3a5623bd0649f324b19c882ff48f76fe7aa674352d2f470ed35313cfb7ea92a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2431f1b5-6312-4fea-b760-f8f507f2ebc7
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278804
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Redline Clipper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278804 Sample: fMa8Tphg4Y.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 7 other signatures 2->70 7 fMa8Tphg4Y.exe 4 2->7         started        11 chrome.exe 1 2->11         started        13 chrome.exe 2->13         started        process3 file4 58 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 7->58 dropped 60 C:\Users\user\AppData\...\fMa8Tphg4Y.exe.log, ASCII 7->60 dropped 72 Injects a PE file into a foreign processes 7->72 15 chrome.exe 7->15         started        18 cmd.exe 3 7->18         started        21 cmd.exe 2 7->21         started        29 2 other processes 7->29 74 Antivirus detection for dropped file 11->74 76 Multi AV Scanner detection for dropped file 11->76 78 Machine Learning detection for dropped file 11->78 23 cmd.exe 11->23         started        25 chrome.exe 14 3 11->25         started        32 2 other processes 11->32 27 cmd.exe 13->27         started        34 3 other processes 13->34 signatures5 process6 dnsIp7 80 Multi AV Scanner detection for dropped file 15->80 82 Machine Learning detection for dropped file 15->82 84 Injects a PE file into a foreign processes 15->84 36 chrome.exe 2 15->36         started        54 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32 18->54 dropped 56 C:\Users\user\...\chrome.exe:Zone.Identifier, ASCII 18->56 dropped 38 conhost.exe 18->38         started        86 Uses schtasks.exe or at.exe to add and modify task schedules 21->86 40 conhost.exe 21->40         started        44 2 other processes 23->44 42 conhost.exe 25->42         started        46 2 other processes 27->46 62 161.129.36.99, 55615 RIXCLOUD-INCUS United States 29->62 48 3 other processes 29->48 50 2 other processes 32->50 52 3 other processes 34->52 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3a5623bd0649f324b19c882ff48f76fe7aa674352d2f470ed35313cfb7ea92a/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 04:17:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uosweo6qmsptesyzzcbp6shxn7t2uz2dkljpi4hnguytz636veva._file
Verdict:
malicious
Similar samples:
17dc8d6c4b9e8a27479e3de340925a3f766cc815eafbaafbc59ee5f14ae41fd2
RedLineStealer
2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
RedLineStealer
50ee88e94c3b5ee3652c4768305f6924679cfd6a48792ed322f0ef858ed06c7e
RedLineStealer
5764353e2fff82abee68ba0302929bb871ec75ee9416628de2f2ea6cd3eab52e
RedLineStealer
9c080a6c3f222fa3409962b716432e674ab1191f8e3376df025912203b7d25fd
RedLineStealer
ba519e6832804d25ebdd7d18ec62bdf3e68f18f8fbd9b90f9701509938cb28d1
RedLineStealer
e4e869c9d64e6141d57774325f7a638ab8347d85d0afead3fb713180c3da1d6a
RedLineStealer
ee5c19be53080ac42369f307dd5a82956a8e927860473cee8352f94b01046c6d
RedLineStealer
f13eb672c5400eefce395ca9f5f668e2273748e3c398558e17f4c43ec314ff71
RedLineStealer
f3bbf1cfb9589105ca848b077d64840b2a4afd19e1432bcbbdcad695ba459e1e
RedLineStealer
+ 2'093 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat infostealer rat trojan
Link:
https://tria.ge/reports/230725-ewc1hsah91/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
161.129.36.99:55615
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/a9282519-d885-45d9-b38e-31196a3032a7/
SH256 hash:
ed2cf428f68cb72600fb10b8a1582653be817c33dddbc0cf4e84b083d4375146
MD5 hash:
5224d6ff289224ea6a32385692669f1d
SHA1 hash:
7a14761fbad15ec240b54f43d3d2f1b44f0f9f3c
Link:
https://www.unpac.me/results/a9282519-d885-45d9-b38e-31196a3032a7/
SH256 hash:
efcda1f87b644bd29cfb7e25fa73dfd8e2a25dc637f87bbb1992c1a111a6a324
MD5 hash:
e91b3792973ff304ee75fd7c70c89bfa
SHA1 hash:
2224e2863458f70d53973c9c987d250783ea4ea5
Link:
https://www.unpac.me/results/a9282519-d885-45d9-b38e-31196a3032a7/
SH256 hash:
a3a5623bd0649f324b19c882ff48f76fe7aa674352d2f470ed35313cfb7ea92a
MD5 hash:
92899ca104e6ac22954956977522eebb
SHA1 hash:
89eabd97ea7285f1038a6966194bbea1b97a97b4
Link:
https://www.unpac.me/results/a9282519-d885-45d9-b38e-31196a3032a7/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a3a5623bd064/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3a5623bd0649f324b19c882ff48f76fe7aa674352d2f470ed35313cfb7ea92a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a3a5623bd0649f324b19c882ff48f76fe7aa674352d2f470ed35313cfb7ea92a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2689443/
Cape
Cape
https://www.capesandbox.com/analysis/431859/

Comments


Avatar
zbet commented on 2023-07-25 04:16:44 UTC

url : hxxps://payorderreceipt.info/scano/scand548226.exe