MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 036596f2b6fcb1057343cb0128835115d994aed19657c01444d0da01dba18876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 5 File information Comments

SHA256 hash:	036596f2b6fcb1057343cb0128835115d994aed19657c01444d0da01dba18876
SHA3-384 hash:	4741c41d1ddd32f74442020342f66c52819d5348371a166982f7c3762a79ac6c4131272483b253ceb9a409144c0e5905
SHA1 hash:	7cc6503c38622bb8903c3b9dc489e5772beecd3c
MD5 hash:	54f1c67ce3aa7bb2df6ae600e1569374
humanhash:	yankee-beryllium-coffee-snake
File name:	gunzipped.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	830'464 bytes
First seen:	2021-12-08 19:16:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Ltr7yDywG9qd0NZyYtiNAih3q7UaxaBuXtnX2y:L57k0v0NAW9URXH
Threatray	1'734 similar samples on MalwareBazaar
TLSH	T11605C76CC1A4EEEBF03BC2B59C31B19056AAEED9D5258A49FC2A304315737523D62C1F
File icon (PE):
dhash icon	34ecccccd4e8f4dc (4 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.191.231.246:28630

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.191.231.246:28630	https://threatfox.abuse.ch/ioc/268499/

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

gunzipped.exe

Verdict:

Malicious activity

Analysis date:

2021-12-08 19:44:20 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/d8c9ddaf-a6a4-415c-8cd8-2308bbef5b5d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/212608/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61b104b44d8e6f3a5e1a086a/reports/27e3ed3b-4dcb-4f48-91cd-d94bc3a47190/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cf8c264a-1f34-4312-a8e3-6260742c8241

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/904170

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/036596f2b6fcb1057343cb0128835115d994aed19657c01444d0da01dba18876/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-12-08 19:17:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=anszn4vw7syqk42dzmasra2rcxmzjlwrszl4afce2dnadw5brb3a._file

Verdict:

malicious

RedLineStealer

1a7430bf377e8db2b002f1a8deb3066e630180df3e38c7615c721bd11da9225f

RedLineStealer

1b3bf9add0f17a1cfe5b6045be437e9160f02250c3d6b0222968c9e36d7207b2

RedLineStealer

4f6c71d1bcd5b1f9fdaecbbc239ffdc05c376cc3fdcbb81271c81be45cc40031

RedLineStealer

7c4a95d3b713f29745a28c55000e03fa3255c1b49f607cfd8c0a018256e83d73

RedLineStealer

a9c68b448101f65cb3cc37b23ec5f9a3ca49bcbfc5bb81b2387524f71be57bd1

RedLineStealer

b3017423803f99630b929d80024e2c8dfaa20b6c29d1eb1e850c7850c8603b9a

RedLineStealer

c2d5a0bcc88f34998f6ac35a55b23fc87b56ee5d700273828fa8cf55d8b04385

RedLineStealer

d6b47354dff2693d279b357d0901496908922679207ebef447e78160cd45bdf3

RedLineStealer

eebb0bc908c35371455035b1bfdf3e1b89abd056deaece5b295f0863f0c5aeed

RedLineStealer

+ 1'724 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:cashout discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211208-xzdqbsacem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.191.231.246:28630

Unpacked files

SH256 hash:

10ba7bd27a91a71cc248e4cdb64de830151e00f81283b9d3329387aea5b11108

MD5 hash:

70d26d61dec1ccbebc5c37a366afe1db

SHA1 hash:

c1517b073287ea09216be4ead787c9d2eccdc84c

Link:

https://www.unpac.me/results/2e378f6f-9b49-47c3-aa95-2fc328c1c337/

SH256 hash:

af06918a5c9b1fc97ca6824ace52b0f2b8cc5bb7358fc6d13f1ba9c50d72a1db

MD5 hash:

dd2ba4ad5eabb0c28a5f8238fc2e43bf

SHA1 hash:

6084be58852afa14ae2ad26d99d77c735edb1375

Link:

https://www.unpac.me/results/2e378f6f-9b49-47c3-aa95-2fc328c1c337/

SH256 hash:

79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696

MD5 hash:

39f524c1ab0eb76dfd79b2852e5e8c39

SHA1 hash:

428018e1701006744e34480b0029982a76d8a57d

Link:

https://www.unpac.me/results/2e378f6f-9b49-47c3-aa95-2fc328c1c337/

SH256 hash:

036596f2b6fcb1057343cb0128835115d994aed19657c01444d0da01dba18876

MD5 hash:

54f1c67ce3aa7bb2df6ae600e1569374

SHA1 hash:

7cc6503c38622bb8903c3b9dc489e5772beecd3c

Link:

https://www.unpac.me/results/2e378f6f-9b49-47c3-aa95-2fc328c1c337/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/036596f2b6fc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/036596f2b6fcb1057343cb0128835115d994aed19657c01444d0da01dba18876

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/212608/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample