MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c
SHA3-384 hash: baf3455172187d2965e2482f8e0d8db2c83606a002b485506ba6d249cd8c757f9f8e45f63dcf8fc065a39cb2e749a31d
SHA1 hash: 1060924310d7bb365e86f9aa5a8d65a27a8f2344
MD5 hash: 7e24338014cbbcd2876198f9a88abf4e
humanhash: jersey-mockingbird-nineteen-green
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:833'024 bytes
First seen:2022-11-29 15:09:08 UTC
Last seen:2022-11-29 16:32:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Y7dDdEPfNN6hzGwS4KNHNKGdANLr0VshYbqkfc4:MgP0k4KRYGWr8syqkfc
Threatray 6'340 similar samples on MalwareBazaar
TLSH T10F05CF8033A6AF71F5286BF37861800827763C6EA5F1D2296DDDB0DE2A71B4149F1B17
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET exe MSIL RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-29 15:10:48 UTC
Tags:
trojan rat redline evasion stealer
Link:
https://app.any.run/tasks/f01df298-cd1e-4de8-b5a5-8c7cf8f0f80d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/339769/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.490.29273.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638620cb24da1c12cfe210d4/reports/583986b3-de7c-4497-bf65-a816a4181a02/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/626f0ff1-0830-450d-b9a0-bfab3956eafc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123358
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756087 Sample: file.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 42 api.ip.sb 2->42 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 8 other signatures 2->56 8 file.exe 7 2->8         started        12 fmwcWZdNzyphB.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\fmwcWZdNzyphB.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmpB10B.tmp, XML 8->38 dropped 40 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->40 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 file.exe 15 31 8->14         started        18 powershell.exe 21 8->18         started        20 schtasks.exe 1 8->20         started        66 Multi AV Scanner detection for dropped file 12->66 22 schtasks.exe 12->22         started        24 fmwcWZdNzyphB.exe 12->24         started        signatures6 process7 dnsIp8 44 37.139.128.51, 49712, 49716, 49717 LVLT-10753US Germany 14->44 46 api.ip.sb 14->46 48 192.168.2.1 unknown unknown 14->48 68 Tries to harvest and steal browser information (history, passwords, etc) 14->68 70 Tries to steal Crypto Currency Wallets 14->70 26 conhost.exe 14->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 14:06:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=apc75agaa55gym75xlbufn4jlnq4my3xw5az4rz33k7ohpwrvewa._file
Verdict:
malicious
Similar samples:
244255971b9d82dd686c21052ce0261c6c3e042539d795cf430d43b9d9a16432
RedLineStealer
5cfdb9f856907336025bbd526f7383ae8edbce669348b8e330251dfe21072c8f
RedLineStealer
6a815b74ccd6c51f3b3e3634d9b48f8437f304ae9d40c38a042a868b5fa0aa52
RedLineStealer
755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
RedLineStealer
c3a58b2823cbb861f4bbb350cfffc4fc39875f38ad6af221def83031eef1e0e3
RedLineStealer
d1e9780a620ddf149c2aed319388bca7ed690c2a58c9ffc8f60b1c4515115dc9
RedLineStealer
f7318ba2fa1309d96755c3f7614b24f8ff05c3d14491f9becfab3b58f2be00d0
RedLineStealer
+ 6'330 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:app discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221129-sj21rsba96/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
37.139.128.51:53092
Unpacked files
SH256 hash:
ee0edd07ff62447e0dea0ef186b899f9624af5abf3eb4024c6440a8ba169a69e
MD5 hash:
588a1ee60fce35f2d601a54fffd6cafb
SHA1 hash:
eb12e806ce831d8a88d559c20a3a8a09c4a74be8
Link:
https://www.unpac.me/results/74177d9e-1514-44c8-99d7-33dfd4442582/
SH256 hash:
49dca027da4b8d02582ef73e38b5050843619f6e139f49f22e1b8091be9bfb21
MD5 hash:
0d3eeab3123cee2a8e7fbbe88cc8de4a
SHA1 hash:
d382694cf5c1f2a070ae65e2854d28252ecbd6d6
Link:
https://www.unpac.me/results/74177d9e-1514-44c8-99d7-33dfd4442582/
SH256 hash:
6ef01e0d411e55e04fcd7a9c704d7c1b5dca4359b62f25217b2a767cd41a552d
MD5 hash:
dae62dee5da2f6dd8b1485d123378372
SHA1 hash:
c4077d933a21ee53153d24b0e84022aa634f0667
Link:
https://www.unpac.me/results/74177d9e-1514-44c8-99d7-33dfd4442582/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/74177d9e-1514-44c8-99d7-33dfd4442582/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/74177d9e-1514-44c8-99d7-33dfd4442582/
SH256 hash:
03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c
MD5 hash:
7e24338014cbbcd2876198f9a88abf4e
SHA1 hash:
1060924310d7bb365e86f9aa5a8d65a27a8f2344
Link:
https://www.unpac.me/results/74177d9e-1514-44c8-99d7-33dfd4442582/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03c5fe80c007/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/339769/

Comments