MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 069ea459cef8681cb8ad4158e52fea53f37e02891c0a53da0f4eb335a9f143be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 069ea459cef8681cb8ad4158e52fea53f37e02891c0a53da0f4eb335a9f143be
SHA3-384 hash: d7ceef8a4bc34f00d206bac76a4bc186ca749025d7d8c44672de34797360c1ea744778279e1ed26c204ce02a6c1e92fb
SHA1 hash: 9c0d69ffc8afc8a66c34869292c36fb7c4e1ee94
MD5 hash: 2efbbd81ba1a658ef95661d208ba627d
humanhash: coffee-magazine-network-illinois
File name:2efbbd81ba1a658ef95661d208ba627d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:428'032 bytes
First seen:2022-06-14 12:10:52 UTC
Last seen:2022-06-14 12:47:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'631 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:D2Mh3A93LTyehsg6vWoQ/0CY1QWuDIwvXBnlvw1DMchBlrqR2PWeZhUEwIt:DtRAZLsg6en0XhefXByJMcb5BPWef/
Threatray 1'814 similar samples on MalwareBazaar
TLSH T1CB94DF15BEB7CC12C1A81B76C1E790140374AA879617E70F3ACE23994D037EB9D8979B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.137.22.237:53362

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.137.22.237:53362 https://threatfox.abuse.ch/ioc/699385/

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
2efbbd81ba1a658ef95661d208ba627d.exe
Verdict:
Malicious activity
Analysis date:
2022-06-14 12:21:51 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/435a9147-1a91-427e-b836-fa840bd934e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/279793/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.29573.5427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62a87ada73b91c38f68de4d0/reports/c2fa20bf-4f9b-47ae-a060-5ef562d0f981/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19975740-d96b-413a-a03c-0aacfb404c9b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1012863
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/069ea459cef8681cb8ad4158e52fea53f37e02891c0a53da0f4eb335a9f143be/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 12:11:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2pkiwoo7bubzofnifmokl7kkpzx4aujdqffhwqpj2ztlkprio7a._file
Verdict:
malicious
Similar samples:
04d8f49a1e499c607e5f1efe61dc023f4346c1072a3992b7ea61604a34975608
RedLineStealer
6f178549e4142e5c18653b7b0391b1e5025b320420a52eae4cfe74a83ea73e96
RedLineStealer
b9a68b7741ffa5390150392587ff6793168b1ad6e97f05d4b336b826218eeae8
RedLineStealer
d3817d4e0e6fec28d66ca03c2e37a9bdc79813d3dd8c14889b539d2a5d53e7e2
RedLineStealer
dd57b29d824fa3fc5cc52c484c9e13cc9b13a63f917a108a4a73d192cee4dbdb
RedLineStealer
ee0ad75c2330cbdb9dd4eb298b4d66b84e4fdba7e44b0a5b3cd7b355cb373ba1
RedLineStealer
+ 1'804 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:money discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220614-pcklcshhe7/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.137.22.237:53362
Unpacked files
SH256 hash:
518bc7fc61ba3afa1928983b21dfcbcf7718ff05fe10a1e750140e5f1dd02260
MD5 hash:
9f3f7b0a38e675a6ad4e513afcd05477
SHA1 hash:
ac90de86f54b7c5bf5fce7111fb18719fb69c08b
Link:
https://www.unpac.me/results/502beaa2-b22e-4183-b785-139e825129ec/
SH256 hash:
a68a0bf170bc305d16d84b31a0ab6c404fd9766e52c3c80f4e937314b9dbce16
MD5 hash:
e9616c0b9233c06fce80448d052d8f14
SHA1 hash:
60cf720f5e6ce2411de423d225440148a3f6ff42
Link:
https://www.unpac.me/results/502beaa2-b22e-4183-b785-139e825129ec/
SH256 hash:
2fe9852668ae6b7715a5c6f8764744f9cb2ef3163adf0f360728f628d42ce916
MD5 hash:
26bfda201145c515616dbb9243785084
SHA1 hash:
4133e7329a79766bbe670a398fdfb442eb70487d
Link:
https://www.unpac.me/results/502beaa2-b22e-4183-b785-139e825129ec/
SH256 hash:
5b9ff1ca687cb0cb2921eaef1142cf9ae2bf44b0ba57257073b9649f14bdb921
MD5 hash:
c76a5460b908dd25f1efbf41baf391b9
SHA1 hash:
27e3e104490af7a2999052ab8a9a62e16a0dc978
Link:
https://www.unpac.me/results/502beaa2-b22e-4183-b785-139e825129ec/
SH256 hash:
069ea459cef8681cb8ad4158e52fea53f37e02891c0a53da0f4eb335a9f143be
MD5 hash:
2efbbd81ba1a658ef95661d208ba627d
SHA1 hash:
9c0d69ffc8afc8a66c34869292c36fb7c4e1ee94
Link:
https://www.unpac.me/results/502beaa2-b22e-4183-b785-139e825129ec/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/069ea459cef8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/069ea459cef8681cb8ad4158e52fea53f37e02891c0a53da0f4eb335a9f143be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 069ea459cef8681cb8ad4158e52fea53f37e02891c0a53da0f4eb335a9f143be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2097009/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/279793/

Comments