MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224
SHA3-384 hash:	12d25ac2e72e97009818184f3f2419ed41ce8010a7bfb5b2f1c906c85edebdfaf042d6ad47a6b6025098c7a40b53e49b
SHA1 hash:	154049870b84a7865181efae2e0e02b9ea63d9be
MD5 hash:	be5a217876c992659c0223470b981b9c
humanhash:	winner-mirror-hotel-lactose
File name:	53660416.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'459'872 bytes
First seen:	2022-03-22 19:19:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	57b4688c454480cc1bf2337299d38c69 (1 x RedLineStealer)
ssdeep	24576:vcoq1jaXVPuMA20y40Ej78AEkgfrOwAo6RQcxdW3NoV5HoBNooH8MpCFRJCv2fFA:vcb1GE20d5ERfybxquHobl8MIRu
Threatray	4'508 similar samples on MalwareBazaar
TLSH	T18F65337AAD0CD785CD026AB7702E5F284247DA770E5F6B086219980CEC4D3F9615AF2E
Reporter	adm1n_usa32
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/255154/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.20124.2957.28643.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/623a21a80cd58dbd92d8daf1/reports/daa7cbfc-4410-439b-93a9-39f5790d1094/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/922ceadf-48e1-42ba-b814-b76395653a07

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/961956

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-04 16:24:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

0f0807cdcb400a718656d3ec845ad57ffef9e25232d50044bb8d7a5d9d2a0a98

RedLineStealer

15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259

RedLineStealer

162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a

RedLineStealer

267ca80ba7f91e7982bed38464198b13be2a517b2db425e4f9e3af39f003248d

RedLineStealer

392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b

RedLineStealer

6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c

RedLineStealer

bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3

RedLineStealer

fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9

RedLineStealer

+ 4'498 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:gb3 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220322-x149nshba5/

Behaviour

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

elew3le3lanle.freeddns.org:4633

Unpacked files

SH256 hash:

d4b7ba75aadffe537451416f799aec9abea0bdec5e0ae7a018d17c9ed69191b8

MD5 hash:

ac48c2d06dda274f0f1233c96e9b00a7

SHA1 hash:

bf0825cee5dc902bdb81fccf9a4ae56e89107375

Link:

https://www.unpac.me/results/9784870b-5237-40c7-affe-9a9e547afbce/

SH256 hash:

02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224

MD5 hash:

be5a217876c992659c0223470b981b9c

SHA1 hash:

154049870b84a7865181efae2e0e02b9ea63d9be

Link:

https://www.unpac.me/results/9784870b-5237-40c7-affe-9a9e547afbce/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2084421/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/255154/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample