MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07a99e4bee3c3e8a74711ae37d7305412a9d316ea5e3f764a524a67b6a7158b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07a99e4bee3c3e8a74711ae37d7305412a9d316ea5e3f764a524a67b6a7158b9
SHA3-384 hash: 4ce6b2b2467237eb91f3c8db185dd7360aadf8f3a61f9422c0159f784472c3349ca660ea0b092701e784cdec2299b546
SHA1 hash: 76debc7ec8456748d728a4235a540deaa7485640
MD5 hash: 763062d8b47703226a9d3c226d4da41b
humanhash: butter-queen-eleven-oranges
File name:Auto tune install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:637'440 bytes
First seen:2022-03-24 20:40:11 UTC
Last seen:2022-03-24 22:54:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:iY6hqi218rQ/M1+RY5QS03ULaHNqrxlKIQNoYEqolY3NVzrEez:7Cqqu8+RukEaHNYK3T7oy3NVzLz
Threatray 1'927 similar samples on MalwareBazaar
TLSH T172D423FB65D0781AC1CE3BF477396B058353969C7EE8EADE7638808324790D18A354B9
Reporter JaffaCakes118
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.217.107.248:34073 https://threatfox.abuse.ch/ioc/447670/

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Auto tune install.exe
Verdict:
Malicious activity
Analysis date:
2022-03-24 20:39:57 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/aea20160-e2c8-4c4e-a52f-0b27cddc5eb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257385/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed racealer
Link:
https://www.filescan.io/uploads/623cd739dfdfa8501cdacacc/reports/0029eee3-44ec-4120-ab8b-799c375d67a6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3893c1d8-fa63-43a0-ace8-c778e3b83cac
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964075
Signature
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07a99e4bee3c3e8a74711ae37d7305412a9d316ea5e3f764a524a67b6a7158b9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 20:41:16 UTC
File Type:
PE (Exe)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6uz4s7ohq7iu5drdlrx24yfievj2mlouxr7ozffesthw2trlc4q._file
Verdict:
malicious
Similar samples:
093c77391ffd6eb280164f85a236886dfa56c3e1463fbba681982ce463b36810
RedLineStealer
0d406e492d0879dc501507c610332d8db948b5d8e2df05822cf74710f4063bbd
RedLineStealer
527b3ec7f548207e3ef8509973591509e5d61c91d613c232329204dfa35535be
RedLineStealer
5a0473da7a9d5dc249c8767d294f2a154f5cb3919c543eefb24f5df9ef47cc6b
RedLineStealer
615bdcc0965d35255d99668380668e1811effaa80cc69c1c78f6a455be86c685
RedLineStealer
9387ed8c88e1a7c51634bd743ef8f4604237db09b484f730fb814782c9a81fb2
RedLineStealer
a8e942ebaff8eb7f4e94c35aa55e48ad6d5791f86a3d1e01ec3a22a9d4bb9568
RedLineStealer
c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b
RedLineStealer
c119d0bab75794fd6f36e8a3a790af438a9fc32a0c4573f206542cb4c3989d38
RedLineStealer
c9abc728dca7c4557f39ac69632735fe1a0cf29e12ae80e81b5912e8c6f929bc
RedLineStealer
+ 1'917 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@drooping1863 infostealer
Link:
https://tria.ge/reports/220324-zfzjssebf7/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.217.107.248:34073
Unpacked files
SH256 hash:
40d24ef8b85972a25d39ac9631062642cb370dfb201d0a77c58e84a8f16fb95c
MD5 hash:
bb6fbcb573f676dafc53d77ab1815c84
SHA1 hash:
7070a890af616e90d8287f166a79cb14fe8092d1
Link:
https://www.unpac.me/results/3f13da25-41ba-4b87-bf9a-a52a5a411398/
SH256 hash:
ddd486fd65ea717fce5ce7f33007809143b8ed622646f23987a1d43cf4587e40
MD5 hash:
81c79c7a050f2d54be92681c46bc510b
SHA1 hash:
b519c4b2da3bfb5f6a1bcdcb50efbd98bdb3bbe7
Link:
https://www.unpac.me/results/3f13da25-41ba-4b87-bf9a-a52a5a411398/
SH256 hash:
07a99e4bee3c3e8a74711ae37d7305412a9d316ea5e3f764a524a67b6a7158b9
MD5 hash:
763062d8b47703226a9d3c226d4da41b
SHA1 hash:
76debc7ec8456748d728a4235a540deaa7485640
Link:
https://www.unpac.me/results/3f13da25-41ba-4b87-bf9a-a52a5a411398/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/07a99e4bee3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07a99e4bee3c3e8a74711ae37d7305412a9d316ea5e3f764a524a67b6a7158b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 07a99e4bee3c3e8a74711ae37d7305412a9d316ea5e3f764a524a67b6a7158b9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/257385/

Comments