MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1137baf67a25b1656ec0233661cc32469173634110eac14330f64111bb10500d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1137baf67a25b1656ec0233661cc32469173634110eac14330f64111bb10500d
SHA3-384 hash: be6dddc9467dfd3fb515ec818f026a44789f52df73fb542dcd85c4c85be112ab918b974ddc51840e02cacb2f4b0b1b69
SHA1 hash: b6fcf145948c4e2da7a9708403d6ff4556cfd477
MD5 hash: b6dc061ae0248ec30779a2701a58337d
humanhash: triple-illinois-red-hydrogen
File name:B6DC061AE0248EC30779A2701A58337D.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:909'432 bytes
First seen:2021-03-24 07:12:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:S5173Q1cjQkLMc+8qzgsI1KISSR0o6y2/KyA:EzQ1cj/MNgdSSR0o6y2nA
TLSH DB1539D6AD845EC0D4B3F2F1A449866207A42C55E88886FC4DF97CBA45354ABED3B03F
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:GitHub, Inc.
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-01-23T00:00:00Z
Valid to:2022-02-08T12:00:00Z
Serial number: 045d8f14a82147641722d4fafc66bc80
Thumbprint Algorithm:SHA256
Thumbprint: 2d7cf43e78b2e0a28afd11a76567662ec05f6036a448ec0c04afffee5b18c918
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RedLineStealer C2:
http://jzolonnen.xyz/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://jzolonnen.xyz/ https://threatfox.abuse.ch/ioc/4790/

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B6DC061AE0248EC30779A2701A58337D.exe
Verdict:
Malicious activity
Analysis date:
2021-03-24 07:31:21 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/dc7613b3-fa9c-4833-80c1-0d30acc527a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.580.10039.13960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/651733
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 374828 Sample: wBMrs2pk8w.exe Startdate: 24/03/2021 Architecture: WINDOWS Score: 70 78 updates.tdesktop.com 2->78 92 Sigma detected: Scheduled temp file as task from temp location 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected BitRAT 2->96 98 7 other signatures 2->98 10 wBMrs2pk8w.exe 3 2->10         started        signatures3 process4 file5 70 C:\Users\user\AppData\...\wBMrs2pk8w.exe.log, ASCII 10->70 dropped 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->108 110 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->110 112 Injects a PE file into a foreign processes 10->112 14 wBMrs2pk8w.exe 15 26 10->14         started        signatures6 process7 dnsIp8 82 updates.tdesktop.com 149.154.167.80, 443, 49734 TELEGRAMRU United Kingdom 14->82 84 jzolonnen.xyz 91.235.129.177, 49729, 49732, 49733 ITLDC-NLUA Ukraine 14->84 86 5 other IPs or domains 14->86 72 C:\Users\user\AppData\...\RuntimeUpdater.exe, PE32 14->72 dropped 74 C:\Users\user\...\RuntimeCompressor.exe, PE32 14->74 dropped 76 C:\Users\user\AppData\...\tsetup.2.6.1.exe, PE32 14->76 dropped 88 Tries to harvest and steal browser information (history, passwords, etc) 14->88 90 Tries to steal Crypto Currency Wallets 14->90 19 RuntimeCompressor.exe 14->19         started        23 RuntimeUpdater.exe 6 14->23         started        25 tsetup.2.6.1.exe 2 14->25         started        file9 signatures10 process11 file12 54 C:\Users\user\AppData\...\mXsFOVadrxyqq.exe, PE32 19->54 dropped 100 Adds a directory exclusion to Windows Defender 19->100 102 Injects a PE file into a foreign processes 19->102 27 RuntimeCompressor.exe 19->27         started        31 powershell.exe 19->31         started        33 schtasks.exe 19->33         started        35 powershell.exe 19->35         started        56 C:\Users\user\AppData\Local\Temp\tmp43D.tmp, XML 23->56 dropped 58 C:\Users\user\AppData\Roaming\njlpcGHdG.exe, PE32 23->58 dropped 104 Multi AV Scanner detection for dropped file 23->104 106 Uses schtasks.exe or at.exe to add and modify task schedules 23->106 37 schtasks.exe 23->37         started        39 RuntimeUpdater.exe 23->39         started        60 C:\Users\user\AppData\...\tsetup.2.6.1.tmp, PE32 25->60 dropped 41 tsetup.2.6.1.tmp 30 22 25->41         started        signatures13 process14 dnsIp15 80 203.159.80.242 LOVESERVERSGB Netherlands 27->80 114 Hides threads from debuggers 27->114 44 conhost.exe 31->44         started        46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        62 C:\Users\user\AppData\...\is-KHM46.tmp, PE32 41->62 dropped 64 C:\Users\user\AppData\...\is-JS88T.tmp, PE32 41->64 dropped 66 C:\Users\user\AppData\...\is-JKDOL.tmp, PE32 41->66 dropped 68 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->68 dropped 52 Telegram.exe 41->52         started        file16 signatures17 process18
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1137baf67a25b1656ec0233661cc32469173634110eac14330f64111bb10500d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-17 02:30:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ce33v5t2ewywk3waem3gdtbsi2ixgy2bcdvmcqzq6zardoyqkagq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210324-3lbvpy15c6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
Unpacked files
SH256 hash:
2b43013edb5706a946f4e523a1a219b31fe2a7e05c48884c048882b3c1327655
MD5 hash:
b7159eb14fe565d4e233604b629bbd8a
SHA1 hash:
64f82c67e6c7cbc078141162a49bffcee3d9ebb9
Link:
https://www.unpac.me/results/a94449a4-c88d-4e5e-9aaa-fa8c727bf2a3/
SH256 hash:
1137baf67a25b1656ec0233661cc32469173634110eac14330f64111bb10500d
MD5 hash:
b6dc061ae0248ec30779a2701a58337d
SHA1 hash:
b6fcf145948c4e2da7a9708403d6ff4556cfd477
Link:
https://www.unpac.me/results/a94449a4-c88d-4e5e-9aaa-fa8c727bf2a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/1137baf67a25b1656ec0233661cc32469173634110eac14330f64111bb10500d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments