MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac3ca04df65a7de6fad42a734ffb496d1c10cc52d14a88201f2a8579530d72aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac3ca04df65a7de6fad42a734ffb496d1c10cc52d14a88201f2a8579530d72aa
SHA3-384 hash: adea6a518bc8bb64cc59436db017b0a2168c9a71ac44177c05c269cea8270ff3a6fc9fe9eafd24e79476c73a2e124f48
SHA1 hash: a0ae31bcb8b0ea1439de66ddfafda130617226ed
MD5 hash: fcdfb8dcb76224802c945fe5b3ef6f83
humanhash: florida-uniform-october-freddie
File name:PAYMENT TT COPY SWIFT.pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:759'174 bytes
First seen:2023-08-22 08:40:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa8d20faea9ef7b4e2b7fbfe93442593 (17 x RedLineStealer, 4 x CoinMiner, 3 x AgentTesla)
ssdeep 12288:f3DkEGDINi1EwkG8hP/6bnCN1ovf5Iwaj4p2Pz+XamnmIKhUpl9j5TChfI+:/DkUNi1EvGdm/oX2wacKZmnfYUFjoC+
Threatray 18 similar samples on MalwareBazaar
TLSH T1F9F40221BAC088B1E5B619345EE1B332AB3D7D301B799ECF9B00065D9F351C19635BAB
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f2ceaeaeb2968eaa (68 x RedLineStealer, 21 x AgentTesla, 18 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
54.37.0.50:55615

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT TT COPY SWIFT.pdf.exe
Verdict:
No threats detected
Analysis date:
2023-08-22 08:44:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c48fbc6-b62a-4d49-bf8d-fffbcb8bb5ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444124/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Uztuby.4.19274.32072.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108281/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ac3ca04df65a7de6fad42a734ffb496d1c10cc52d14a88201f2a8579530d72aa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77ab1674-83d4-4267-a640-0fba761e2b1b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1295015
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1295015 Sample: PAYMENT_TT_COPY_SWIFT.pdf.exe Startdate: 22/08/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->51 53 10 other signatures 2->53 8 PAYMENT_TT_COPY_SWIFT.pdf.exe 1 10 2->8         started        12 cEcKyHph.exe 4 2->12         started        process3 file4 39 C:\Users\user\AppData\...\PAYMENT TT.exe, PE32 8->39 dropped 55 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->55 14 PAYMENT TT.exe 6 8->14         started        57 Machine Learning detection for dropped file 12->57 18 schtasks.exe 12->18         started        20 cEcKyHph.exe 12->20         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\cEcKyHph.exe, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\tmp310D.tmp, XML 14->43 dropped 59 Found many strings related to Crypto-Wallets (likely being stolen) 14->59 61 Adds a directory exclusion to Windows Defender 14->61 22 PAYMENT TT.exe 15 3 14->22         started        25 powershell.exe 18 14->25         started        27 schtasks.exe 1 14->27         started        29 conhost.exe 18->29         started        31 conhost.exe 20->31         started        signatures8 process9 dnsIp10 45 54.37.0.50, 49735, 49740, 49741 OVHFR France 22->45 33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac3ca04df65a7de6fad42a734ffb496d1c10cc52d14a88201f2a8579530d72aa/
Threat name:
Win32.Trojan.SuspMsilInArcEmail
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 08:41:06 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vq6katpwlj66n6wufjzu762jnuobbtcs2ffiqia7fkcxsuynokva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1870568f702f6dace356e56e859fa30674e6388dfdfd76c056e446f12d356128
RedLineStealer
596694c74332564a2f97d443cb291ac7f1ccf0d3cf7cf468fd2810b22f7c593c
RedLineStealer
5a6c429f017b403c4bc91330056da43f35387f4a5ed19fed2be140ee29c32989
RedLineStealer
76de16b596ad3700130d2d2c02a9ca144ace99bef78a7088b93f069673cbe972
RedLineStealer
b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05
RedLineStealer
e01f586f773c36468995eabf2682dfc209824b06a8a784bfb34b7fad499bc22a
RedLineStealer
ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8
RedLineStealer
f9c4add410b55fb7a5b176a3f71761bbdc6b138f6e7a2f1e39f8ee094dd3b992
RedLineStealer
fbe43eccf559247f04391a68d08546953f0010957aaaa0205187a96b5fe57c94
RedLineStealer
+ 8 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/230822-klez1sbb49/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
54.37.0.50:55615
Unpacked files
SH256 hash:
1ff650496c624aa980dcd511c2625001f1d67dde8b3e7e17ee3db5c2a55a1e8d
MD5 hash:
9a43e84ad6903246b03e530b15e62215
SHA1 hash:
eacc38c2d73a6febfa1a5adc23de652b94b5b6da
Link:
https://www.unpac.me/results/7c5ec67f-b2c8-4abf-96b3-29ea336099b2/
SH256 hash:
892761d55890a0af5517cc5da1b7b251539f9d1b5e126616def3b66b60b25f50
MD5 hash:
1381fe1ab71c80397a78422051edbd51
SHA1 hash:
e258e5a6e54f6314944e713515d22906fa4520f7
Link:
https://www.unpac.me/results/7c5ec67f-b2c8-4abf-96b3-29ea336099b2/
SH256 hash:
881194979fa3cb5ef9cbebdc1211fa803c492eef19c5f20eb293a5b212270ffa
MD5 hash:
1747ce35d2f3db2aaa84a3f314827603
SHA1 hash:
9f3e6fcca5b7be1be57e695fb28c8d25c53a41c9
Link:
https://www.unpac.me/results/7c5ec67f-b2c8-4abf-96b3-29ea336099b2/
SH256 hash:
6b959869f767cbed167d5169ef0f2375ea56e202a0a8ac8dbb8f05cd1eae661e
MD5 hash:
e845de7a4cd00244a0f9446be285469b
SHA1 hash:
9749766f00920445091f6b27306bf09be01c0ae5
Link:
https://www.unpac.me/results/7c5ec67f-b2c8-4abf-96b3-29ea336099b2/
SH256 hash:
ac3ca04df65a7de6fad42a734ffb496d1c10cc52d14a88201f2a8579530d72aa
MD5 hash:
fcdfb8dcb76224802c945fe5b3ef6f83
SHA1 hash:
a0ae31bcb8b0ea1439de66ddfafda130617226ed
Link:
https://www.unpac.me/results/7c5ec67f-b2c8-4abf-96b3-29ea336099b2/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac3ca04df65a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac3ca04df65a7de6fad42a734ffb496d1c10cc52d14a88201f2a8579530d72aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021
Create hunting rule
Author:BlackBerry Threat Research Team
Description:Detects Unobfuscated RedLine Infostealer Executables (.NET)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Create hunting rule
Author:Elastic Security
Rule name:win_delivery_check_g0
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444124/

Comments