MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d5bfc0c20d8142640a572b53e611015b225c0312faac51006c299e59a061a8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d5bfc0c20d8142640a572b53e611015b225c0312faac51006c299e59a061a8a
SHA3-384 hash: 7e0bce24ff2ee9a0cfcbe98ea3ed06a33ab842a4b41331982d647d09bcb8287b7b9e9f638ab2cf86bd60cb9b61ea7c73
SHA1 hash: 1b36528c4f505df852d7fcdd6054cc4ab7d70024
MD5 hash: 26e694fab0a2f2041b191cd154d85ba5
humanhash: juliet-leopard-early-purple
File name:Traves Dreams
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:844'944 bytes
First seen:2020-11-23 09:20:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:lDlChOBhmhrcJH6Zj6M08/p+9U3oQzAdCySN0a0aMjeh5BraLvkfJdqzg32R50+M:lxChOBB8miJsZS5Y2PraLvkXcemaJ
Threatray 23 similar samples on MalwareBazaar
TLSH EA05026E7F3DC450D8A428B474AB8A0213F2EE5268F6FB676FD0762507BF3932406585
Reporter JAMESWT_WT
Tags:RedLineStealer signed Traves Dreams

Code Signing Certificate

Organisation:Traves Dreams
Issuer:Traves Dreams
Algorithm:sha1WithRSAEncryption
Valid from:Nov 20 17:34:15 2020 GMT
Valid to:Nov 21 17:34:15 2030 GMT
Serial number: 770CF60313DAE19B4C466D02C12D7770
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: B62B1F927AB01E352915339B8C44964C9F29B23D4C1C88E7FD3D026D6F130C2A
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Running batch commands
Launching a process
Stealing user critical data
Result
Gathering data
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/544957
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321572 Sample: Traves Dreams Startdate: 23/11/2020 Architecture: WINDOWS Score: 100 33 cdn.onenote.net 2->33 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected RedLine Stealer 2->45 47 .NET source code contains method to dynamically call methods (often used by packers) 2->47 49 10 other signatures 2->49 9 Traves Dreams.exe 3 2->9         started        signatures3 process4 file5 31 C:\Users\user\...\Traves Dreams.exe.log, ASCII 9->31 dropped 53 Injects a PE file into a foreign processes 9->53 13 Traves Dreams.exe 15 22 9->13         started        17 Traves Dreams.exe 9->17         started        19 Traves Dreams.exe 9->19         started        21 Traves Dreams.exe 9->21         started        signatures6 process7 dnsIp8 37 api.ip.sb 13->37 39 WHOIS.RIPE.NET 193.0.6.135, 43, 49732 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 13->39 41 6 other IPs or domains 13->41 55 Tries to harvest and steal browser information (history, passwords, etc) 13->55 23 cmd.exe 1 13->23         started        signatures9 process10 dnsIp11 35 127.0.0.1 unknown unknown 23->35 51 Uses ping.exe to sleep 23->51 27 conhost.exe 23->27         started        29 PING.EXE 1 23->29         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d5bfc0c20d8142640a572b53e611015b225c0312faac51006c299e59a061a8a/
Threat name:
ByteCode-MSIL.Trojan.Vimditator
Create hunting rule
Status:
Malicious
First seen:
2020-11-22 23:22:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvn7ydba3akcmqffok2t4yiqcwzclqbrf6vmkeagykm6lgqgdkfa._file
Verdict:
malicious
Similar samples:
0215f9dd19951e07aaa5ddfed10c4b46af716a8e3ce1ccb853f0992d14ee3e34
RedLineStealer
22e8a783296dcabf49cb2c9b5f5a05b1cf670591e71130b08424a450aa54c419
RedLineStealer
2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68
RedLineStealer
40e054c5c315d144c46e4caab2eb10d61f71c8f3cb97a85e81b96ce6a306463d
RedLineStealer
446edc0d1f7fff55b43dc47d935ac4c8b4ec345a5edaf90f5ea2122d3137f19b
RedLineStealer
91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c
RedLineStealer
96fadfece02fcc7d1b3f8e98c1df30dc61e9e8298543de46b54ad088f18aec59
RedLineStealer
b185c97cf356748005cda3b4ccb5a6df0e059c8869ba3b3f33595984bb60f380
RedLineStealer
b4c89616a5a88bf22085f8f4322ad8935265dc5d34248bb1332dbc1d4537c9e8
RedLineStealer
f9606e3e6dda93ec347cb4de7181ec53d26c6cbf7936097502170935d3afe0df
RedLineStealer
+ 13 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201123-wab8b8d2lj/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
470af690ef1be12a77fff676d44ef71eda055230c5acd729a82ef6196747d61d
MD5 hash:
7c48dae85aa7ab53fee214d5402ce4cd
SHA1 hash:
311d533e69b1f6ab51ec1e1c1183e0bd20c39e7e
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/47a04e2a-a4fe-47fb-b2f8-c2055dfbbacb/
SH256 hash:
ca1cd9aeb14d7b05e058aeb2aa88e7115579a19dcb4bbf48e2055853b9137cbe
MD5 hash:
38c582a5cd45126f6f3079b8ff1a9797
SHA1 hash:
596c1d0c3d18958d4e7d042f07ca91f130383b77
Link:
https://www.unpac.me/results/47a04e2a-a4fe-47fb-b2f8-c2055dfbbacb/
SH256 hash:
0f09da9e1dac9256b68f732a4dbcbf10e962ab9ada1aa9c19d86be0249193b9e
MD5 hash:
14a29370ec1333081c6d624222b18235
SHA1 hash:
78967ccd44e94b0a64a652cdbb27c1d093c26a19
Link:
https://www.unpac.me/results/47a04e2a-a4fe-47fb-b2f8-c2055dfbbacb/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/47a04e2a-a4fe-47fb-b2f8-c2055dfbbacb/
SH256 hash:
0d5bfc0c20d8142640a572b53e611015b225c0312faac51006c299e59a061a8a
MD5 hash:
26e694fab0a2f2041b191cd154d85ba5
SHA1 hash:
1b36528c4f505df852d7fcdd6054cc4ab7d70024
Link:
https://www.unpac.me/results/47a04e2a-a4fe-47fb-b2f8-c2055dfbbacb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Vimditator
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/0d5bfc0c20d8142640a572b53e611015b225c0312faac51006c299e59a061a8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_redline_stealer_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:Detects unpacked main component of Redline Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105238/

Comments