MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a5faef2bdcce3d5b58e9062bf8f936596a96eaf0b270ed86cac3033cd922537. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a5faef2bdcce3d5b58e9062bf8f936596a96eaf0b270ed86cac3033cd922537
SHA3-384 hash: 6562873f65bf8f31cefb2af76e641261358f2ff2382bf117794a3f50389d26c7ece231f35f24221c9825edaf1fd87f5f
SHA1 hash: 67233ab2394ad1e75362cbc3278081ea5105d821
MD5 hash: 383b866c7b2a1039fbf537381399fed3
humanhash: foxtrot-avocado-alpha-missouri
File name:383b866c7b2a1039fbf537381399fed3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:357'376 bytes
First seen:2021-01-08 18:35:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 83d64fbebfab92d1c7af4b69e750554f (1 x RedLineStealer, 1 x Amadey)
ssdeep 6144:L2/aISRRSF+z6IiITXx/WUGbYFXt1fCMvJZfRRTMCFhLDuXlxX2i:LwSR9ziIE5bYF91DJpRpPS
Threatray 928 similar samples on MalwareBazaar
TLSH 5B741206E37054F8FC703DB0DB597BA142073A204BFFDD2BE9824D9979365D86AA1C98
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://85.10.204.178:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
383b866c7b2a1039fbf537381399fed3.exe
Verdict:
Malicious activity
Analysis date:
2021-01-08 18:43:10 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/772bda31-6d76-4623-bf5a-b33fcc5eb8cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111062/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/577042
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a5faef2bdcce3d5b58e9062bf8f936596a96eaf0b270ed86cac3033cd922537/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-01-08 17:33:00 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjp254v5ztr5lnmosbrl7d4tmwlks3vpbmtq5wdmvqydhtmseu3q._file
Verdict:
malicious
Similar samples:
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb
RedLineStealer
8287906a9a9338d4bc89276bf8086347d32120cf3a5075e16d105d610c3e4da5
RedLineStealer
9303fce212e36780ea585709956a75464f3d6eaf2da9211f72ac718dad3e7e80
RedLineStealer
a33fba201470062e7411eb129e52102e9ec7150d0d4d46c877aa241d2fef826c
RedLineStealer
b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04
RedLineStealer
bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222
RedLineStealer
c7548d44039ef4712cd3161d51f4d235f7b04fac22234cfcc602a895e87d23f7
RedLineStealer
c86ceb78c8aa8ecb5e96f7d44a8c593ef2c310102189366d4c0d35e80c0115c9
RedLineStealer
ecebc42356531d726c29149265632f77431e6d597e88372326d19d821952f565
RedLineStealer
f09d143add8bd571bf78d5f5181122ba84c10eb9a6427d6f61279ffccf4bec69
RedLineStealer
+ 918 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/210108-xspvchd4ae/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
0a5faef2bdcce3d5b58e9062bf8f936596a96eaf0b270ed86cac3033cd922537
MD5 hash:
383b866c7b2a1039fbf537381399fed3
SHA1 hash:
67233ab2394ad1e75362cbc3278081ea5105d821
Link:
https://www.unpac.me/results/ebc27e29-4126-4387-8b58-daa7b0b8cea8/
SH256 hash:
7480d376e3bff605e95a0cf235aa6c1c2a852650ac4023a3c37abc9019ee5cb5
MD5 hash:
a3df88428f15ed5232e1ffba19f8fbb4
SHA1 hash:
4d4f357f29a0dfa02d479547696cff666b01966a
Link:
https://www.unpac.me/results/ebc27e29-4126-4387-8b58-daa7b0b8cea8/
SH256 hash:
3d1f8e72f7caebe74c79b66184b339d4b3e3f08eacace13784af91287c571601
MD5 hash:
006a15e719c50cdffada8b325c9bbea1
SHA1 hash:
3705416bc798bc4d42c527c29824e218d0dd9093
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/ebc27e29-4126-4387-8b58-daa7b0b8cea8/
SH256 hash:
718473e2be007352c59519b2fa71d3af63f159f2d3a63391d755e08bb435b3b5
MD5 hash:
30a1d313d50c3cb25e2e3908d8c201fe
SHA1 hash:
4a2db01c18c347c7090501c513f0804fd8bea6c7
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/ebc27e29-4126-4387-8b58-daa7b0b8cea8/
SH256 hash:
6ba584610a120e50651032a0bbdb4a5ac836d1c30e20d4b111f0790f4d75179f
MD5 hash:
69eeb5e008398dc2e59eda416a3ef949
SHA1 hash:
fda8d1de07cd08e10709498a482c06521381fb08
Link:
https://www.unpac.me/results/ebc27e29-4126-4387-8b58-daa7b0b8cea8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a5faef2bdcce3d5b58e9062bf8f936596a96eaf0b270ed86cac3033cd922537

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0a5faef2bdcce3d5b58e9062bf8f936596a96eaf0b270ed86cac3033cd922537

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/111062/
  
URLhaus
https://urlhaus.abuse.ch/url/949292/
  
Delivery method
Distributed via web download

Comments