MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


1xxbot


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4
SHA3-384 hash: c27b1cc8409261da0e6ab0644a90659f18421a3e2ff0bb60c77a3b360f6db8d6407ced70a2f02e0fe7b9a1d4b128c6f3
SHA1 hash: 781d24ab722ea0e329b50dacea4a45fcee44a334
MD5 hash: dad37edf3b190661eb34ad57fc97103f
humanhash: lemon-freddie-steak-berlin
File name:dad37edf3b190661eb34ad57fc97103f.exe
Download: download sample
Signature 1xxbot
Create hunting rule
File size:1'823'744 bytes
First seen:2021-06-10 10:26:06 UTC
Last seen:2021-06-10 10:50:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep 24576:JuyBQdB8daoYfRjtjRzOpHyqG1GajaVHqzd8uQ2hUHSYvr1AEWAUhgu6U5NY1Cf:7hdnY5jtjRappGM/Kzd8uPkSouFr6U
Threatray 120 similar samples on MalwareBazaar
TLSH 7C85230B62EA6475D8F5C37866F70743DA31B8197B3946EF13CCD9BA18036B19231B4A
Reporter abuse_ch
Tags:1xxbot exe


Avatar
abuse_ch
1xxbot C2:
91.142.78.27:228

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.142.78.27:228 https://threatfox.abuse.ch/ioc/85806/

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dad37edf3b190661eb34ad57fc97103f.exe
Verdict:
No threats detected
Analysis date:
2021-06-10 10:31:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d95993d-2267-4209-a9aa-0ee740e2be8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165817/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Launching cmd.exe command interpreter
Launching a process
Sending a UDP request
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending an HTTP POST request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800103
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432500 Sample: n3sQ7uTU8v.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 Yara detected RedLine Stealer 2->103 105 5 other signatures 2->105 12 n3sQ7uTU8v.exe 1 4 2->12         started        15 ccxHGRRcZG.exe.com 2->15         started        19 wscript.exe 2->19         started        21 rundll32.exe 2->21         started        process3 dnsIp4 73 C:\Users\user\AppData\Local\Temp\...\tmp2.exe, PE32 12->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\tmp1.exe, PE32 12->75 dropped 23 cmd.exe 1 12->23         started        87 OzWfJeAFYkzsxFJyz.OzWfJeAFYkzsxFJyz 15->87 77 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 15->77 dropped 93 Writes to foreign memory regions 15->93 95 Injects a PE file into a foreign processes 15->95 25 RegAsm.exe 15->25         started        97 Creates processes via WMI 19->97 file5 signatures6 process7 signatures8 28 tmp2.exe 7 23->28         started        31 tmp1.exe 15 31 23->31         started        35 conhost.exe 23->35         started        123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->123 process9 dnsIp10 125 Multi AV Scanner detection for dropped file 28->125 127 Machine Learning detection for dropped file 28->127 129 Contains functionality to register a low level keyboard hook 28->129 37 cmd.exe 1 28->37         started        89 iaditaluri.xyz 85.192.56.35, 49720, 49722, 49724 DINET-ASRU Russian Federation 31->89 91 api.ip.sb 31->91 63 C:\Users\user\AppData\Local\...\tmp1.exe.log, ASCII 31->63 dropped 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->131 133 Performs DNS queries to domains with low reputation 31->133 135 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->135 137 2 other signatures 31->137 file11 signatures12 process13 signatures14 107 Submitted sample is a known malware sample 37->107 109 Obfuscated command line found 37->109 111 Uses ping.exe to sleep 37->111 113 Uses ping.exe to check the status of other devices and networks 37->113 40 cmd.exe 3 37->40         started        43 conhost.exe 37->43         started        process15 signatures16 115 Obfuscated command line found 40->115 117 Uses ping.exe to sleep 40->117 45 Impregnato.exe.com 40->45         started        48 PING.EXE 1 40->48         started        51 findstr.exe 1 40->51         started        process17 dnsIp18 141 Drops PE files with a suspicious file extension 45->141 54 Impregnato.exe.com 7 45->54         started        79 127.0.0.1 unknown unknown 48->79 81 192.168.2.1 unknown unknown 48->81 65 C:\Users\user\AppData\...\Impregnato.exe.com, Targa 51->65 dropped file19 signatures20 process21 dnsIp22 83 OzWfJeAFYkzsxFJyz.OzWfJeAFYkzsxFJyz 54->83 67 C:\Users\user\AppData\...\ccxHGRRcZG.exe.com, PE32 54->67 dropped 69 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 54->69 dropped 71 C:\Users\user\AppData\...\ccxHGRRcZG.url, MS 54->71 dropped 119 Writes to foreign memory regions 54->119 121 Injects a PE file into a foreign processes 54->121 59 RegAsm.exe 54->59         started        file23 signatures24 process25 dnsIp26 85 91.142.78.27, 228, 49725, 49730 VTSL1-ASRU Russian Federation 59->85 139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->139 signatures27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-10 07:43:58 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
03c770bfc70f92e979e48b46b0604c3254796123e48af7d611017af862321bea
1xxbot
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
1xxbot
3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c
1xxbot
9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92
1xxbot
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
1xxbot
acc09a3633289ac4c40c744409c20f5f5167cf55fc792371d0e4bd9331c2ce31
1xxbot
dbeb99d2b3f5ab13560c96f80ee6153f909f64aac45d4ad56e2468320430acd3
1xxbot
e31da697e1f30aca20cb88b09a69ed60bdbba9b3c4da0e67e2654ecb541964f2
1xxbot
f4a40d6bf3a266e83bbeb76bd3c865b8c3e925a16f890d107356c62563de3f33
1xxbot
f543bca03c8aab5bdf2f069ddaabda9f339db5f686a4b4275d7db32183c2655c
1xxbot
+ 110 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210610-bkqk4gz2qa/
Behaviour
Enumerates system info in registry
Modifies registry class
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Sets desktop wallpaper using registry
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
RedLine
RedLine Payload
Unpacked files
SH256 hash:
d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4
MD5 hash:
dad37edf3b190661eb34ad57fc97103f
SHA1 hash:
781d24ab722ea0e329b50dacea4a45fcee44a334
Link:
https://www.unpac.me/results/cb93ffa9-4b6a-4df8-9f6f-3ca7a49f4e92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

1xxbot

Executable exe d3a7838ae798a5d0271bd35063602eddab284157f1963d1b71812542ba6f92c4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1348569/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165817/

Comments