MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8
SHA3-384 hash:	e3bd1d6d74b19fa579f826ec05783cce52b1914abb29d07883e630bdb22a66e65ce10b24adf7c5e8a8ac70fb68db9c9d
SHA1 hash:	3e214c12aeb9f54c682dd63fd5e77ac10bc60774
MD5 hash:	fd118cd10923a0d7a58d977fb74295f4
humanhash:	nevada-three-river-bluebird
File name:	fd118cd10923a0d7a58d977fb74295f4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'000'608 bytes
First seen:	2020-07-09 06:42:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:M1XgJw8+csOzjzYU+xBwk9BiW/BhSYIAw0I:M1wJw8vYU+t7/BhSYlw0I
Threatray	29 similar samples on MalwareBazaar
TLSH	D525C0732614CEA7C6B04A31A67B48240FD8DC9BB635B3DD7FC8B2495A721E04F51B92
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://moonberry.pk/IRemotePanel

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23427/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.43457183.21323.6702.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

DNS request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Connection attempt to an infection source

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-08 19:28:00 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=new4plci36rydtl7qybdnb3ogyq26lq5zgclr4kmvvey4qjordma._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

0f081ea4e30ca05fc2977235bf239992b17fa9968b58b001990e4539f0899269

6ad2831339a2a6fc8d140c8718cf38fabef9915409bd32cd86221b515b4be629

75adf0d7e708b54f8debec4767e2ba3cc52cdf0264a8d6545865d4c7ae7352d0

7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335

99b9b649c59745f1544c91ffe35dad1e1529c9cb6715325c95ee396bbe3db2ab

b74e722c4a7b85d49e9c25991528d742161a1ae76c860e001868b1918dc66222

bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc

e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf

f5123e1fe20922f1e236abdc7aa90f98056ffef585bc4a2c1b93cfd2dd2736a0

fa4626e2c5984d7868a685c5102530bd8260d0b31ef06d2ce2da7636da48d2d6

+ 19 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

evasion spyware trojan infostealer family:redline ransomware persistence discovery

Link:

https://tria.ge/reports/200709-vmct3k95w6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Kills process with taskkill

System policy modification

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Interacts with shadow copies

Suspicious use of SetThreadContext

Modifies service

Drops desktop.ini file(s)

Modifies system certificate store

Checks for installed software on the system

Enumerates connected drives

Checks whether UAC is enabled

Looks up external IP address via web service

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of web browsers

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Deletes shadow copies

UAC bypass

RedLine

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/23427/

URLhaus

https://urlhaus.abuse.ch/url/408718/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample