MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d
SHA3-384 hash: b64e5c49afdfc1cab59b34130b7e6594a6db74051aec7484c0b115af6996076131a8c9deb8478b6ef1fff5acda9cecfb
SHA1 hash: a90525efa95ca320e7e9cfdeb4da2454add2edcd
MD5 hash: a6718d7cecc4ec8aeef273918d18aa19
humanhash: earth-yellow-stream-jupiter
File name:a6718d7cecc4ec8aeef273918d18aa19
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:558'320 bytes
First seen:2022-02-01 18:35:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 944bb3e749e0b29a3425f77ded6b5435 (2 x RedLineStealer)
ssdeep 12288:KTTwZJiLjMuteVAEitR/XnHrB+0Kb+WpQw04w1SsIz+ArSwT4Ad4:KmQjPwALtBlxKbFVw1FM+ArJ4Aa
Threatray 3'022 similar samples on MalwareBazaar
TLSH T167C4230B42967805FDE4503A52D4D63EA27C776C094A86E1BFEC6C30B776B66EB02335
File icon (PE):PE icon
dhash icon 716869c8a4a6cadc (1 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/229294/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.38833.32587.15318.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Creating a file
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61f97da16d25ac9e79f72d5c/reports/adb4216d-36c8-43f0-9e37-94503105ec70/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f647f36b-29cb-4a81-9034-7ed6055da256
Result
Threat name:
DCRat RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/931967
Signature
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Executable Used by PlugX in Uncommon Location
Sigma detected: Execution from Suspicious Folder
Sigma detected: File Created with System Process Name
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 564450 Sample: vu5TAYeQ53 Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 51 mirtonewbacker.com 2->51 53 id.xn--80akicokc0aablc.xn--p1ai 2->53 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 12 other signatures 2->65 7 vu5TAYeQ53.exe 15 7 2->7         started        12 wininit.exe 3 2->12         started        14 schtasks.exe 2->14         started        16 schtasks.exe 2->16         started        signatures3 process4 dnsIp5 57 d0me.net 31.42.189.50, 49743, 80 SERVERIUS-ASNL Ukraine 7->57 43 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 7->43 dropped 45 C:\Users\user\AppData\Local\Temp\as.exe, PE32 7->45 dropped 47 C:\Users\user\AppData\Local\Temp\re.exe, MS-DOS 7->47 dropped 49 C:\Users\user\AppData\...\vu5TAYeQ53.exe.log, ASCII 7->49 dropped 81 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->81 83 Tries to evade analysis by execution special instruction which cause usermode exception 7->83 85 Hides threads from debuggers 7->85 18 rc.exe 8 17 7->18         started        22 re.exe 2 7->22         started        25 as.exe 51 7->25         started        87 Query firmware table information (likely to detect VMs) 12->87 89 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->89 file6 signatures7 process8 dnsIp9 27 C:\ProgramData\Package Cache\...\wininit.exe, PE32 18->27 dropped 29 C:\Program Files\...\backgroundTaskHost.exe, PE32 18->29 dropped 31 C:\PerfLogs\RuntimeBroker.exe, PE32 18->31 dropped 39 2 other files (none is malicious) 18->39 dropped 67 Multi AV Scanner detection for dropped file 18->67 69 Detected unpacking (changes PE section rights) 18->69 71 Detected unpacking (overwrites its own PE header) 18->71 79 4 other signatures 18->79 55 92.38.241.101, 36778 DINET-ASRU Russian Federation 22->55 73 Detected unpacking (creates a PE file in dynamic memory) 22->73 75 Machine Learning detection for dropped file 22->75 77 Tries to evade analysis by execution special instruction which cause usermode exception 22->77 33 C:\Users\user\AppData\Local\...\quartz.dll, PE32 25->33 dropped 35 C:\Users\user\AppData\...\vcruntime140.dll, PE32 25->35 dropped 37 C:\Users\user\AppData\Local\...\vcomp140.dll, PE32 25->37 dropped 41 21 other files (none is malicious) 25->41 dropped file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d/
Threat name:
Win32.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 01:19:40 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0ea0d467809f6db13fbbc3949ca3a4a0f90f60c80cb5cdc03aecdc6e060f0869
RedLineStealer
133fd7b6a946f6e6d658a52d3eff496070bb38351cb27bc3647e0215025af470
RedLineStealer
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
RedLineStealer
44caf98e5ae6e4c45d0c49f0ec2ba8e833e806e74c5b3cde1b48d440f873d97a
RedLineStealer
62c294f6084d81cdac6be310763bf8ae12f9f8ac1454fc24c69b839885b89252
RedLineStealer
867dae598a8c52cc300bf8a0683134bf4371c1eb709d3caebab55a53883e7f71
RedLineStealer
cc2f338306f88a416e0f4b4efd537a244a907275e2ca866ce176b7cd957bd0d5
RedLineStealer
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
RedLineStealer
+ 3'012 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer persistence suricata trojan
Link:
https://tria.ge/reports/220201-w8w3laadep/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
RedLine
RedLine Payload
suricata: ET MALWARE SpyAgent C&C Activity (Request)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32.Spy/TVRat Checkin
Unpacked files
SH256 hash:
7058c829a448e616496e815ab4fb895700c62a2f4be3ec945ed51e6acbd14e0b
MD5 hash:
c31cc98badd98e5f80e20eb6bc0527dc
SHA1 hash:
b2d6edb2864666c1412adfe9a317694686413d7c
Link:
https://www.unpac.me/results/f44f7741-c485-4f70-98b5-dcd6c9b24688/
SH256 hash:
ced51953be2dfb9865019a07427717d1c93b0b5dc30f167a78a035bf128a66b4
MD5 hash:
c3c96285bf6e2f7414e5e3c9d77df6c2
SHA1 hash:
0c59608ec6b1b152791a1af0abae22d83c7fe270
Link:
https://www.unpac.me/results/f44f7741-c485-4f70-98b5-dcd6c9b24688/
SH256 hash:
0e25011778daef14c6a7e924ac66468828d8836461cf5cb6162053430990445b
MD5 hash:
c3f1241ce72b349419b11489a1c409ba
SHA1 hash:
dd3e136a2f4a50396f3ae0d4b65c2f4be1d9e9ce
Link:
https://www.unpac.me/results/f44f7741-c485-4f70-98b5-dcd6c9b24688/
SH256 hash:
e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d
MD5 hash:
a6718d7cecc4ec8aeef273918d18aa19
SHA1 hash:
a90525efa95ca320e7e9cfdeb4da2454add2edcd
Link:
https://www.unpac.me/results/f44f7741-c485-4f70-98b5-dcd6c9b24688/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2021907/
Cape
Cape
https://www.capesandbox.com/analysis/229294/

Comments


Avatar
zbet commented on 2022-02-01 18:35:50 UTC

url : hxxps://verio-tx.net/Client.exe