MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd33bf66fb78dd738965c8fb1602e16bb6df43972b25b18ec8671cfb5d313e3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd33bf66fb78dd738965c8fb1602e16bb6df43972b25b18ec8671cfb5d313e3e
SHA3-384 hash: 3f6068b5a503f6691aeada778e0c993f87e4dec703602ec015d1f9613688fc316894e831c9e813e891f5101ff67f9b81
SHA1 hash: 3989c15345f12accd812962393488ff52d221be3
MD5 hash: 9e41c1ff5349b13107a32955121b23ee
humanhash: bravo-failed-mirror-ceiling
File name:9e41c1ff5349b13107a32955121b23ee.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'891'136 bytes
First seen:2022-02-16 17:06:58 UTC
Last seen:2022-03-22 19:27:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fddc083fa31a17c938d0a17ec7cd3025 (141 x RedLineStealer, 4 x RaccoonStealer, 1 x Formbook)
ssdeep 98304:lr6cKqiczz+SyGeiSdsh4sQgupc5upQSq/QP+INjtt9YLzv8lJe4ruqV3z5PQl:lVqczzFyGmdsqrDQSqYPvlQ8lJe4/5P6
Threatray 1'334 similar samples on MalwareBazaar
TLSH T16436337B517C7639814CCAB422C8EBA5A07F7ED0BFAC3970038D56C54E5237AF02959A
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241974/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/620d2f44875593a3ccd824cd/reports/9c784b56-f83f-404b-8347-9f3de6ca6180/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c87f9d0c-a32f-45d2-9701-57bd09fa6620
Result
Threat name:
RedLine TON Miner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941017
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected TON Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573498 Sample: RNRD2P3UdQ.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 Yara detected TON Miner 2->117 119 4 other signatures 2->119 10 RNRD2P3UdQ.exe 1 2->10         started        13 RegHost.exe 2->13         started        15 subst.exe 13 2->15         started        process3 dnsIp4 129 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->129 131 Writes to foreign memory regions 10->131 133 Allocates memory in foreign processes 10->133 145 2 other signatures 10->145 18 AppLaunch.exe 15 8 10->18         started        23 conhost.exe 10->23         started        135 Multi AV Scanner detection for dropped file 13->135 137 Machine Learning detection for dropped file 13->137 139 Injects code into the Windows Explorer (explorer.exe) 13->139 141 Modifies the context of a thread in another process (thread injection) 13->141 25 explorer.exe 13->25         started        27 bfsvc.exe 13->27         started        29 conhost.exe 13->29         started        99 dba692117be7b6d3480fe5220fdd58b38bf.xyz 45.147.197.60, 49809, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 15->99 101 192.168.2.1 unknown unknown 15->101 143 Performs DNS queries to domains with low reputation 15->143 signatures5 process6 dnsIp7 91 92.255.85.137, 41320, 49765 SOVTEL-ASRU Russian Federation 18->91 93 transfer.sh 144.76.136.153, 443, 49802, 49805 HETZNER-ASDE Germany 18->93 83 C:\Users\user\AppData\Local\Temp\ssda.exe, PE32+ 18->83 dropped 85 C:\Users\user\AppData\Local\Temp\bayden.exe, PE32 18->85 dropped 121 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->121 123 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->123 125 Tries to harvest and steal browser information (history, passwords, etc) 18->125 127 Tries to steal Crypto Currency Wallets 18->127 31 ssda.exe 1 2 18->31         started        35 bayden.exe 3 18->35         started        37 conhost.exe 25->37         started        39 curl.exe 25->39         started        41 conhost.exe 27->41         started        file8 signatures9 process10 file11 87 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 31->87 dropped 103 Multi AV Scanner detection for dropped file 31->103 105 Machine Learning detection for dropped file 31->105 107 Injects code into the Windows Explorer (explorer.exe) 31->107 111 5 other signatures 31->111 43 explorer.exe 2 31->43         started        45 curl.exe 1 31->45         started        48 bfsvc.exe 1 31->48         started        50 conhost.exe 31->50         started        89 C:\Users\user\AppData\Local\...\subst.exe, PE32 35->89 dropped 109 Uses schtasks.exe or at.exe to add and modify task schedules 35->109 52 schtasks.exe 1 35->52         started        signatures12 process13 dnsIp14 54 curl.exe 43->54         started        57 curl.exe 43->57         started        59 curl.exe 43->59         started        67 6 other processes 43->67 97 api.telegram.org 149.154.167.220, 443, 49806 TELEGRAMRU United Kingdom 45->97 61 conhost.exe 45->61         started        63 conhost.exe 48->63         started        65 conhost.exe 52->65         started        process15 dnsIp16 95 185.137.234.33, 49811, 49812, 49813 SELECTELRU Russian Federation 54->95 69 conhost.exe 54->69         started        71 conhost.exe 57->71         started        73 conhost.exe 59->73         started        75 conhost.exe 67->75         started        77 conhost.exe 67->77         started        79 conhost.exe 67->79         started        81 2 other processes 67->81 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd33bf66fb78dd738965c8fb1602e16bb6df43972b25b18ec8671cfb5d313e3e/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 17:07:17 UTC
File Type:
PE (Exe)
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3uz36zx3pdoxhclfzd5rmaxbno3n6q4xfms3ddwim4opwxjrhy7a._file
Verdict:
malicious
Similar samples:
091098c89adf865b81d21e36e58f9781f827df8fae2938c931b6e72da56e5f68
RedLineStealer
2f66e12d5f65fad1c9e562115fbf079e0d0dd9b960d8130d30c03e2eb7040584
RedLineStealer
46a70716ba5d34c2c529d426789a5498f674df305d95fe5af914eb6920f9f823
RedLineStealer
5281d5d6fa1dcead6e230a35b27f7e867177ad2aa1d3dfaba22b0f4f1a6424be
RedLineStealer
6e60006ac8af12483aee2b0f6bcf0a963a0423b494b55f56ad51bfc9b3a3bd71
RedLineStealer
876e10c736abb0d29524896673ce1b4ad2928ec6bb2ed218a3199fb6b9a120cb
RedLineStealer
89cda5d4b0522f5d762664903ee10492ef9a22dcae5d1c013fa8c663c37b63d9
RedLineStealer
d496f178f6400d703c1bc434b7694369d94c68a5756f811bb5ded09ff78b1158
RedLineStealer
d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4
RedLineStealer
f04444ba33a73f6fa9770d0330cc489bf8b919f6c3342b66e3f423894ea22f2f
RedLineStealer
+ 1'324 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220216-vmze6abhh8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
896c5d122f4826a628f30e90eb6dd3e7aef07faa8bd0849be36bc55b667866a7
MD5 hash:
4877977993ec0f001408ef1cbe33f044
SHA1 hash:
a91ef1ad3ff17cb88c5da80a30a478be85a1ac1b
Link:
https://www.unpac.me/results/3154afba-4e1b-42d4-acd3-9a2151d67693/
SH256 hash:
1f6e7f7f5443f47ac57b9ae68e33da6bf69e883f64d63b24634bfbc9e7ad5cb5
MD5 hash:
887697694ee529a7e4ee20b825eb59a7
SHA1 hash:
af352d1c60aed9b5f45cbe352816155cf32fdd51
Link:
https://www.unpac.me/results/3154afba-4e1b-42d4-acd3-9a2151d67693/
SH256 hash:
dd33bf66fb78dd738965c8fb1602e16bb6df43972b25b18ec8671cfb5d313e3e
MD5 hash:
9e41c1ff5349b13107a32955121b23ee
SHA1 hash:
3989c15345f12accd812962393488ff52d221be3
Link:
https://www.unpac.me/results/3154afba-4e1b-42d4-acd3-9a2151d67693/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dd33bf66fb78/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd33bf66fb78dd738965c8fb1602e16bb6df43972b25b18ec8671cfb5d313e3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241974/

Comments