MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
SHA3-384 hash: 93e8aa3919f7597a196901fdab30f9665175bb2f370addfc068345b53252b2d5d1de68681b44db2e4a66206932457bdb
SHA1 hash: f40891e66c3b6a568a822a6a09868370ea80a3a1
MD5 hash: 5c8f76ef10a7d2493dec6399c4225a73
humanhash: music-saturn-don-five
File name:5c8f76ef10a7d2493dec6399c4225a73.exe
Download: download sample
Signature RedLineStealer
File size:1'053'104 bytes
First seen:2020-07-31 08:36:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44
ssdeep 24576:YQEhMzeNJBjAObi4M2rIDTU4fmj6J/d5JJXuE6YBp5:YQEhM8BfbiyrIDovj6llJXv6YB
TLSH 22251205B6CE8610FEA9C530A17986814776FC40BE22C3D31791FAD14FA5B728D25BAB
Reporter @abuse_ch
Tags:exe RedLineStealer


Twitter
@abuse_ch
RedLineStealer C2:
http://zeave.xyz/IRemotePanel

Intelligence


File Origin
# of uploads :
1
# of downloads :
32
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Delayed writing of the file
Launching a process
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Using the Windows Management Instrumentation requests
Connection attempt
Launching a tool to kill processes
Deleting of the original file
Unauthorized injection to a system process
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Signature
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255245 Sample: jQcEDM33ao.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 72 45 zeave.xyz 2->45 47 g.msn.com 2->47 49 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->49 57 Yara detected RedLine Stealer 2->57 59 Uses ping.exe to sleep 2->59 61 Machine Learning detection for sample 2->61 63 3 other signatures 2->63 11 jQcEDM33ao.exe 1 6 2->11         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 43 C:\Users\user\...\SpKWlRpqQTmGoYMEl.com, COM 11->43 dropped 16 cmd.exe 1 11->16         started        19 powershell.exe 21 11->19         started        process6 signatures7 55 Drops PE files with a suspicious file extension 16->55 21 cmd.exe 2 16->21         started        25 conhost.exe 16->25         started        27 conhost.exe 19->27         started        process8 file9 41 C:\Users\user\AppData\Local\...\explorer.com, PE32 21->41 dropped 65 Uses ping.exe to sleep 21->65 29 explorer.com 21->29         started        31 PING.EXE 1 21->31         started        34 certutil.exe 2 21->34         started        signatures10 process11 dnsIp12 36 explorer.com 29->36         started        53 127.0.0.1 unknown unknown 31->53 process13 dnsIp14 51 BRHlEL.BRHlEL 36->51 39 RegAsm.exe 36->39         started        process15
Threat name:
Win32.Trojan.Casdet
Status:
Malicious
First seen:
2020-07-31 01:27:00 UTC
AV detection:
15 of 31 (48.39%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer infostealer family:redline spyware discovery persistence trojan family:agenttesla
Behaviour
Kills process with taskkill
Modifies registry class
Checks whether UAC is enabled
Enumerates system info in registry
Modifies Control Panel
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Program crash
Checks installed software on the system
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
AgentTesla Payload
RedLine
AgentTesla
Suspicious use of NtCreateProcessExOtherParentProcess
Threat name:
Trojan
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868

(this sample)

  
Delivery method
Distributed via web download

Comments