MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3
SHA3-384 hash: 4848fb8da24bf61e1ab3315d8f1d51a8fa1c7d35a53a45846bde753607c69806c20f20bad8d89488a7c805ffe9eac74f
SHA1 hash: 7161c1a7f3ed3f72074b4a4a533cd8dfff1d1116
MD5 hash: 0eb47635d997f848f52b57738cbc02fc
humanhash: wyoming-single-floor-magazine
File name:0eb47635d997f848f52b57738cbc02fc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'773'225 bytes
First seen:2023-04-05 05:50:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:2TbBv5rUyXV8zVlvNK7J2DLXVikKyPsHNdtwWosAga9buFM0cvcTysPEuxWGrfVD:IBJ4pNKFgFY0gDIgaOSEBlxWQVJp7mM
TLSH T119852202BAC558B2D4721D3346399B11A97D7D203F7ACEDBA3E05A5DEA205C0DB327B1
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.91.85.137:81

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0eb47635d997f848f52b57738cbc02fc.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 05:51:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/755e6398-ac4c-419c-8c71-20896653cf44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380184/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76590/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/642d0c487dc0445b238908e5/reports/b6dee771-2110-47fa-bff7-30f672229c7e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5e7b7411-07d6-4027-a3e2-2977c7cf1d71
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208584
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841500 Sample: NOatxiwIpi.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 14 other signatures 2->84 10 NOatxiwIpi.exe 10 2->10         started        process3 file4 64 C:\Users\user\AppData\Local\...\Mahatga.exe, PE32 10->64 dropped 66 C:\Users\user\AppData\...\Maha123tga.exe, PE32 10->66 dropped 13 Maha123tga.exe 1 10->13         started        16 Mahatga.exe 10->16         started        process5 signatures6 104 Machine Learning detection for dropped file 13->104 106 Writes to foreign memory regions 13->106 108 Allocates memory in foreign processes 13->108 18 AppLaunch.exe 1 13->18         started        21 WerFault.exe 23 9 13->21         started        23 conhost.exe 13->23         started        110 Injects a PE file into a foreign processes 16->110 25 AppLaunch.exe 16->25         started        28 conhost.exe 16->28         started        30 WerFault.exe 16->30         started        process7 dnsIp8 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->88 90 Contains functionality to inject code into remote processes 18->90 92 Injects a PE file into a foreign processes 18->92 32 AppLaunch.exe 15 31 18->32         started        37 conhost.exe 18->37         started        74 77.91.85.137, 49708, 81 METREX-ASRU Russian Federation 25->74 76 api.ip.sb 25->76 94 Tries to harvest and steal browser information (history, passwords, etc) 25->94 96 Tries to steal Crypto Currency Wallets 25->96 signatures9 process10 dnsIp11 68 github.com 140.82.121.3, 443, 49701, 49702 GITHUBUS United States 32->68 70 raw.githubusercontent.com 185.199.108.133, 443, 49703, 49705 FASTLYUS Netherlands 32->70 72 pastebin.com 104.20.67.143, 443, 49700 CLOUDFLARENETUS United States 32->72 56 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 32->56 dropped 58 C:\ProgramData\Dllhost\dllhost.exe, PE32 32->58 dropped 60 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 32->60 dropped 62 C:\ProgramData\HostData\logs.uce, ASCII 32->62 dropped 98 Sample is not signed and drops a device driver 32->98 39 cmd.exe 1 32->39         started        42 cmd.exe 32->42         started        44 cmd.exe 32->44         started        file12 signatures13 process14 signatures15 100 Encrypted powershell cmdline option found 39->100 102 Uses schtasks.exe or at.exe to add and modify task schedules 39->102 46 powershell.exe 22 39->46         started        48 conhost.exe 39->48         started        50 conhost.exe 42->50         started        52 schtasks.exe 42->52         started        54 conhost.exe 44->54         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 05:51:10 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wm3d36t2ktrxlsmnje2mqw7zsvzyqiwiyoezfagda5uhn7fhjwzq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:test infostealer spyware
Link:
https://tria.ge/reports/230405-gj6heaca47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
77.91.85.137:81
Unpacked files
SH256 hash:
3dea8c7973f571d4ff786bc3d25c502ffa9349beed5be0cf3144c33f6834acf8
MD5 hash:
52d50cd1f85a77c3746b541af9f97814
SHA1 hash:
75c575fafecb9745bb33905a77697509c1910f71
Link:
https://www.unpac.me/results/54945031-bb34-4e96-a312-624a8cdee901/
SH256 hash:
d69e6fa75c935e094c96c63b903794c9ed0ce3790602d031995f70cc19b01c79
MD5 hash:
bd32eeec32f14e2c33dd5c20e3aa4d75
SHA1 hash:
79865502c0d0d9602b79f4d0d861daaeff6ac2c4
Link:
https://www.unpac.me/results/54945031-bb34-4e96-a312-624a8cdee901/
SH256 hash:
f02822765f8b76aea8e9afbd5dd2c131ec2c83615785adf3d2cdb03b4103b5db
MD5 hash:
96d7a2e56f7aed9ae4206141ee938171
SHA1 hash:
a62c163c66b7db8a0d5e284553c928c0dbea0078
Link:
https://www.unpac.me/results/54945031-bb34-4e96-a312-624a8cdee901/
SH256 hash:
f250446739250770dc65f2bd607cf16b50761fb24084e38e24c878cd3d5c4d7b
MD5 hash:
d3fd584dd71724f59bd965952f82057a
SHA1 hash:
283a647e6ac6def93aeb13c6b6c11caeaa3a53aa
Link:
https://www.unpac.me/results/54945031-bb34-4e96-a312-624a8cdee901/
SH256 hash:
b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3
MD5 hash:
0eb47635d997f848f52b57738cbc02fc
SHA1 hash:
7161c1a7f3ed3f72074b4a4a533cd8dfff1d1116
Link:
https://www.unpac.me/results/54945031-bb34-4e96-a312-624a8cdee901/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3363dfa7a54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380184/

Comments