MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10d94abd5900b4658aee2a6e4f66fa97bde81047ccac8340d78fae45711f10e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10d94abd5900b4658aee2a6e4f66fa97bde81047ccac8340d78fae45711f10e4
SHA3-384 hash: df35ab23152808b936e8810c1057aa9ed7f8f01fcc06ef4c8e2854c07bf045acca17de8f5f48b1d3c67ec2ce4b05b40c
SHA1 hash: 9689fd3c8ab8650927fa43e605db5eceb378f81c
MD5 hash: 07c8ceffcfe28cc6c365d88434861190
humanhash: queen-indigo-october-cold
File name:07c8ceffcfe28cc6c365d88434861190
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'818'824 bytes
First seen:2022-05-21 14:35:54 UTC
Last seen:2022-05-21 15:38:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:9hj4DNXi5Yc1F6eQ+xdJrj3UxipE26DfM+0NQ7:9h6rc1F6eQ+xdFi2+
Threatray 809 similar samples on MalwareBazaar
TLSH T14FD56F1BA7D44E2AF061017534FBE610661D81021EFEFAF6F7B8521B1F6DEC07A4A294
TrID 44.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
26.2% (.EXE) InstallShield setup (43053/19/16)
7.9% (.SCR) Windows screen saver (13101/52/3)
6.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon fce69ba58df3e6fc (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
07c8ceffcfe28cc6c365d88434861190
Verdict:
Malicious activity
Analysis date:
2022-05-21 14:37:21 UTC
Tags:
installer trojan rat redline
Link:
https://app.any.run/tasks/44608bbb-9edf-4fbc-9a58-3d2f7be20c90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273313/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed replace.exe stealer update.exe warp
Link:
https://www.filescan.io/uploads/6288f8d4206e0816183662f5/reports/a549e14d-cd58-45c0-84ec-7145f3c9c110/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/057292f4-566d-45d6-8408-2240d0540169
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999089
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10d94abd5900b4658aee2a6e4f66fa97bde81047ccac8340d78fae45711f10e4/
Threat name:
ByteCode-MSIL.Trojan.RelineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-21 10:28:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
263
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdmuvpkzac2glcxofjxe6zx2s666qechzswigqgxr6xek4i7cdsa._file
Verdict:
suspicious
Similar samples:
2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb75776e6385e0b182e3624a
RedLineStealer
35ca9c06c64525702c430b2781dca9570ba31ba755294b034b926357a2aa2451
RedLineStealer
7b56c37bff2fcded39ac0a413320b1705c70c78d257a2f87327d759afa0c10f2
RedLineStealer
851bba6f93b83f524a19a95ed9fd4f59d163de3d825ee276114b3d03ae206beb
RedLineStealer
a74f9ed962019491f7d2995e4c03ace954c0d4bb81cddb3e79cedd58c40dc6f1
RedLineStealer
c2edd73c44beb4bae6d666109f793c0e246a1cc28bf868d10841023283d880d5
RedLineStealer
c4723b946e8913f59ccb64d9025440820124104c653c79023f09d28da35d0442
RedLineStealer
+ 799 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220521-ryj8tschfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
10d94abd5900b4658aee2a6e4f66fa97bde81047ccac8340d78fae45711f10e4
MD5 hash:
07c8ceffcfe28cc6c365d88434861190
SHA1 hash:
9689fd3c8ab8650927fa43e605db5eceb378f81c
Link:
https://www.unpac.me/results/bf3ede58-b8ac-4f37-b73c-5d108d4f3038/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10d94abd5900/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/10d94abd5900b4658aee2a6e4f66fa97bde81047ccac8340d78fae45711f10e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:NETDIC208_NOCEX
Create hunting rule
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:NETDIC_208
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 10d94abd5900b4658aee2a6e4f66fa97bde81047ccac8340d78fae45711f10e4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2205434/
Cape
Cape
https://www.capesandbox.com/analysis/273313/

Comments


Avatar
zbet commented on 2022-05-21 14:35:59 UTC

url : hxxp://37.120.222.121/store/items/55.exe