MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 106c61ea367f6d9e573cd711803332d338e7688a07b01774fb23fe78f083faad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 106c61ea367f6d9e573cd711803332d338e7688a07b01774fb23fe78f083faad
SHA3-384 hash: ced004e6e1a1ba6c5cebbc3317dc404d5ef3a103db19df15746ba7972208f03bfe6e7c5a414e0ace5a46503742fac57a
SHA1 hash: 887f75c6fed933019c7ad753df52ef928fce4ea5
MD5 hash: 8aba39363b0c326b30116455eb7bff5a
humanhash: fourteen-zulu-utah-lion
File name:8aba39363b0c326b30116455eb7bff5a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:412'160 bytes
First seen:2021-09-10 14:27:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:u4Yf1mCMCzXdbXjMtRR73TcMk/B1njbFfYKeVhYMIWZdWV3vBLGD:ufECNXdbXjyDD+heVuZWrWBvBk
Threatray 1'573 similar samples on MalwareBazaar
TLSH T136945AF25BB44472F86D89766CFB5A8BC7A29E43A674434F324263605DF17420E0D3BA
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VanossModMenu_InstallerV4.2.exe
Verdict:
Malicious activity
Analysis date:
2021-09-09 23:59:44 UTC
Tags:
trojan rat redline stealer evasion loader vidar unwanted netsupport
Link:
https://app.any.run/tasks/9bcd1c6c-b29d-40b0-85ec-5298b4fbece3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186923/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Sending a UDP request
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3335522f-3dce-41dc-8be3-1ecd2f0c7e46
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/848855
Signature
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481291 Sample: p4MPz5UO73.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 84 20 Found malware configuration 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected RedLine Stealer 2->24 26 4 other signatures 2->26 7 p4MPz5UO73.exe 1 2->7         started        process3 file4 16 C:\Users\user\AppData\...\p4MPz5UO73.exe.log, ASCII 7->16 dropped 28 Injects a PE file into a foreign processes 7->28 11 p4MPz5UO73.exe 3 7->11         started        signatures5 process6 dnsIp7 18 45.14.49.184, 28743 ITGLOBAL-NL Netherlands 11->18 14 conhost.exe 11->14         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/106c61ea367f6d9e573cd711803332d338e7688a07b01774fb23fe78f083faad/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 18:47:16 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
RedLineStealer
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
RedLineStealer
211c5e542a39bd580d591ee281d719abc67a1b9313e5eecaa904d41dc2cb9d45
RedLineStealer
2db5b8398fe40439d40336311f84437499781d8659a4557b76ff7db71fa4e05e
RedLineStealer
3dbe8ea1016c5cb64f67f85894ea4a82c99f4b3658f12ae021d29fa5399939b0
RedLineStealer
5d124c343ca289f13081d3b447859ef55da2562c3ae650e984995f68c26b1a97
RedLineStealer
73fb4f3ccb12db716b72f5b18dd9fca14ae7b0c23c8bd72aaa156b0f3870a1b1
RedLineStealer
7c78dc5ccbdff7e949fed9b04fcfd5a3b312f0fe950441094d77e8bdbf393491
RedLineStealer
7d6bc9c488ef81546e89c929a34e3d067ff083599c80edad38987fd0771cfe4a
RedLineStealer
e95005fd5b5d80158be2c72eb1a7491674394cd2b2f48c243d930467f1b93372
RedLineStealer
+ 1'563 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:norman3 infostealer
Link:
https://tria.ge/reports/210910-rs1zdsaca9/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.14.49.184:28743
Unpacked files
SH256 hash:
5f4e4125fb8e2c7dc27ef986e27a22174bb23c6d32c4472b08677c876df14ea8
MD5 hash:
11b88aceaf27c9e99064c8cfe012ba11
SHA1 hash:
d739d0ccf3e8b2eb885e64967d6a0fba136b58dc
Link:
https://www.unpac.me/results/2d285658-e17e-430a-8f32-c95d17faf610/
SH256 hash:
f68db4f6e552a6f9a6779d1fd94f0598e063784f6d01b4821c050aba52b58bae
MD5 hash:
033098262aca29a04fbb79b8d04782f4
SHA1 hash:
c72260a0427e8d6715f5e622fefd43dffbc5f732
Link:
https://www.unpac.me/results/2d285658-e17e-430a-8f32-c95d17faf610/
SH256 hash:
95181d418a5f8f507ad01fef9d8959e02a38874ffb306d016661d9bd749060f8
MD5 hash:
bc4afc47e63e7e728125d1a6a005f8f1
SHA1 hash:
61dc2b4e70e36ae35d5fc3ec93d9a27409871f3f
Link:
https://www.unpac.me/results/2d285658-e17e-430a-8f32-c95d17faf610/
SH256 hash:
106c61ea367f6d9e573cd711803332d338e7688a07b01774fb23fe78f083faad
MD5 hash:
8aba39363b0c326b30116455eb7bff5a
SHA1 hash:
887f75c6fed933019c7ad753df52ef928fce4ea5
Link:
https://www.unpac.me/results/2d285658-e17e-430a-8f32-c95d17faf610/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/106c61ea367f6d9e573cd711803332d338e7688a07b01774fb23fe78f083faad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 106c61ea367f6d9e573cd711803332d338e7688a07b01774fb23fe78f083faad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1550115/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186923/

Comments