MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a7f5f666fb7a1cdda25353191ddaced97674f596af7230d58af2ee14ea14819. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a7f5f666fb7a1cdda25353191ddaced97674f596af7230d58af2ee14ea14819
SHA3-384 hash: c9ea865523ab6c9628f8c18cfea68bd667a4a834493fb46d7577dc56889a531fe0676afded225fe8a4db4b202e511677
SHA1 hash: bb85a6645a908be90ff4015e069904194cb282cf
MD5 hash: cd3f88a43b2764c4896ab8f879fb2c10
humanhash: wisconsin-winner-golf-massachusetts
File name:cd3f88a43b2764c4896ab8f879fb2c10
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:669'184 bytes
First seen:2021-09-01 21:55:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:LQBD8ozQzHR21FJLgGz0kUTVvSERat1Hin2n+jX/oKrcqIyfm/a7bB3+Xv:LQBD8DWsvS+ICn2n0AKgqIyfmE
Threatray 1'304 similar samples on MalwareBazaar
TLSH T1DCE40A3E18FE23279176C7D5CBE18823F2D498AF3233A96567D747264316A4674C322E
dhash icon 71ccb2b2b2b2cc71 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd3f88a43b2764c4896ab8f879fb2c10
Verdict:
Malicious activity
Analysis date:
2021-09-01 21:57:20 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/1420220c-5b24-4369-9cca-fd015a102712

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184582/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48b2ae7b-932e-4080-9cf2-821b12ce9494
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843668
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a7f5f666fb7a1cdda25353191ddaced97674f596af7230d58af2ee14ea14819/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 19:33:25 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
01b259c2a07e81f3a2636fcf80ddd3d90a7daaafc218eee30f9a8247f09e1f39
RedLineStealer
069834c0109d17508121653ab6d19d1a00bd6e0fb27e2248b0da94dffd517cb4
RedLineStealer
15500244e3dc1de0b63b0b8342380ae569510f3b932ae3c3ce8096bc7c1161ee
RedLineStealer
169a316f9557b3a154c1cbc1ab4aae2b690d71fd197ff39ac77e58c7e7db4196
RedLineStealer
27c106e7c9e455f880849d79759df345d2117aa2e2357696dabb51bc11adce8b
RedLineStealer
2e3771458d1cb347833dd9042d04ed03eb805b62ab388bf641d9f07b651e48b6
RedLineStealer
3ca3ef048fd26e03a002f3fc9d80ecf27621dd27643857cfdac7c60c26d36a27
RedLineStealer
d06f2c1e45f62b363834c1ed0bd33fcbcc3ba26b2c8075717b1ff124f273c4b5
RedLineStealer
+ 1'294 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:crypto discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210901-zcxbvw85c6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
212.86.102.139:32600
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/fd1ea13a-7ea4-44ea-aee7-5d8a960d602a/
SH256 hash:
74fe80bc4588cb5ff7cd5b7d00ca941a5fad40b084a049bc7b69f83fb1fdfa24
MD5 hash:
c535594fedcb835d1f14b099fd10870a
SHA1 hash:
b846c5ff96e942de77322699632d4ebddfb6931f
Link:
https://www.unpac.me/results/fd1ea13a-7ea4-44ea-aee7-5d8a960d602a/
SH256 hash:
0cff804e8517d1e84d2cf767f40c3263e6e95f73a32899174c5987b3eff9ba05
MD5 hash:
b56fbe744fb23ca8708e9be354595626
SHA1 hash:
8b9d1d175d791616b3a34c6f80c9a446d2a83a53
Link:
https://www.unpac.me/results/fd1ea13a-7ea4-44ea-aee7-5d8a960d602a/
SH256 hash:
0a7f5f666fb7a1cdda25353191ddaced97674f596af7230d58af2ee14ea14819
MD5 hash:
cd3f88a43b2764c4896ab8f879fb2c10
SHA1 hash:
bb85a6645a908be90ff4015e069904194cb282cf
Link:
https://www.unpac.me/results/fd1ea13a-7ea4-44ea-aee7-5d8a960d602a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0a7f5f666fb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a7f5f666fb7a1cdda25353191ddaced97674f596af7230d58af2ee14ea14819

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0a7f5f666fb7a1cdda25353191ddaced97674f596af7230d58af2ee14ea14819

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/184582/

Comments


Avatar
zbet commented on 2021-09-01 21:55:49 UTC

url : hxxp://37.0.10.214/WW/file5.exe