MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
SHA3-384 hash: 0d1f9654cc8c82d64cbf23df9d3f9cacb375dbfc073e9e6ec98553acfdb9560e2dc68c14378ab3924465574bdd0b3752
SHA1 hash: 349ead630fb0f7f12fae208b573a255f12095ed1
MD5 hash: b2c1396260a5bf7289fbd08cdb3cc96d
humanhash: spring-mango-freddie-earth
File name:b2c1396260a5bf7289fbd08cdb3cc96d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'171'096 bytes
First seen:2021-03-22 09:13:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:WimIXlguyh7oDAD/fFWpgMxxxfrHOHk2Nk6sY0WgLtpPYj8aqh+sam9E57rxE2AB:Fl2uypoDY1WPjxX5RY0dLtGjFbsiUN
Threatray 421 similar samples on MalwareBazaar
TLSH BE45379F75054953D51B113A838AA580CE20EE8F1D69ABEF21D5B3140D33AF2A8077FE
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.153.198.36:10202/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.153.198.36:10202/ https://threatfox.abuse.ch/ioc/4372/

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b2c1396260a5bf7289fbd08cdb3cc96d.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 09:18:59 UTC
Tags:
rat redline trojan evasion
Link:
https://app.any.run/tasks/ed9e6d29-b552-40d7-9b23-5ec675ce54da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125869/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.63243.5113.20161.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RMSRemoteAdmin RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647560
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 372745 Sample: trppS0BjmT.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 97 smtp.yandex.ru 2->97 121 Multi AV Scanner detection for dropped file 2->121 123 Multi AV Scanner detection for submitted file 2->123 125 Yara detected RedLine Stealer 2->125 127 6 other signatures 2->127 15 trppS0BjmT.exe 3 2->15         started        19 svchost.exe 2->19         started        21 svchost.exe 9 1 2->21         started        24 7 other processes 2->24 signatures3 process4 dnsIp5 95 C:\Users\user\AppData\...\trppS0BjmT.exe.log, ASCII 15->95 dropped 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->111 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->113 115 Injects a PE file into a foreign processes 15->115 26 trppS0BjmT.exe 15 25 15->26         started        117 Changes security center settings (notifications, updates, antivirus, firewall) 19->117 31 MpCmdRun.exe 19->31         started        103 127.0.0.1 unknown unknown 21->103 file6 signatures7 process8 dnsIp9 105 api.ip.sb 26->105 107 185.153.198.36, 10202, 49720, 49729 RMINJINERINGRU Russian Federation 26->107 109 4 other IPs or domains 26->109 79 C:\Users\user\AppData\Local\...\swnetwork.exe, PE32 26->79 dropped 81 C:\Users\user\AppData\Local\Temp\srvs.exe, PE32 26->81 dropped 137 Tries to harvest and steal browser information (history, passwords, etc) 26->137 33 srvs.exe 2 26->33         started        36 swnetwork.exe 26->36         started        40 conhost.exe 31->40         started        file10 signatures11 process12 dnsIp13 69 C:\Users\user\AppData\Local\Temp\...\srvs.tmp, PE32 33->69 dropped 42 srvs.tmp 5 15 33->42         started        99 api.ip.sb 36->99 101 74.119.193.164 MOVECLICKLLCUS United States 36->101 131 Antivirus detection for dropped file 36->131 133 Machine Learning detection for dropped file 36->133 135 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->135 file14 signatures15 process16 file17 73 C:\ProgramData\is-Q6PTR.tmp, PE32 42->73 dropped 75 C:\ProgramData\is-P9DDM.tmp, PE32+ 42->75 dropped 77 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->77 dropped 45 cmd.exe 42->45         started        process18 file19 91 C:\...\PasswordOnWakeSettingFlyout.exe, PE32+ 45->91 dropped 93 C:\Windows \System32\uxtheme.dll, PE32+ 45->93 dropped 139 Drops executables to the windows directory (C:\Windows) and starts them 45->139 141 Uses regedit.exe to modify the Windows registry 45->141 49 PasswordOnWakeSettingFlyout.exe 45->49         started        51 conhost.exe 45->51         started        54 timeout.exe 45->54         started        signatures20 process21 signatures22 56 pass.exe 49->56         started        129 DLL side loading technique detected 51->129 process23 file24 71 C:\Users\user\AppData\Local\Temp\...\pass.tmp, PE32 56->71 dropped 59 pass.tmp 56->59         started        process25 file26 83 C:\ProgramData\Immunity\is-SUEEA.tmp, PE32 59->83 dropped 85 C:\ProgramData\Immunity\is-4IR4P.tmp, PE32 59->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 59->87 dropped 89 3 other files (none is malicious) 59->89 dropped 62 cmd.exe 59->62         started        64 cmd.exe 59->64         started        process27 process28 66 conhost.exe 64->66         started        signatures29 119 DLL side loading technique detected 66->119
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-19 23:09:53 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dpuipk4at5gv6rb5pdxaeqtzksvpmm3fxyud73btlebkysf2ircq._file
Verdict:
malicious
Similar samples:
29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
RedLineStealer
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
RedLineStealer
475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2
RedLineStealer
4b6db0ab009cf8babc3d2f5390b8dba1ae7367c24cb0988dd96d04a4b25a2b4a
RedLineStealer
58472769f4701ccaef3d6cb6e32317f49a680dfaf1dc7ac1e8de76a02b41c7f3
RedLineStealer
752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957
RedLineStealer
807e65fc407c3d9f024b10e8cfb20c2e10ad067aa217fe97ec1b075c24dbc936
RedLineStealer
aed38ba366e382ed5d83fabe10195028a22dcc050ad3399048fc240421e4aad4
RedLineStealer
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
RedLineStealer
c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424
RedLineStealer
+ 411 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210322-j71ft3kch2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
Unpacked files
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/46e0284a-a85a-4d87-9f02-f2733fb20768/
SH256 hash:
3566ab404d69cec5d64e10b2f6f06f40818dd0d7721a14984fe8b432bcc51b35
MD5 hash:
cdabdf989fec57ef53023384be9a525b
SHA1 hash:
734ba6103068fc4a990539a4af0dd691dccaa332
Link:
https://www.unpac.me/results/46e0284a-a85a-4d87-9f02-f2733fb20768/
SH256 hash:
28cc6f7dbac30590fed3b34e21d5f53cd87c723f611c3acb5c9e76fb8589bb4f
MD5 hash:
3a3cfc2212a0be4d3a404e3520f94332
SHA1 hash:
96e2ca1596c630b2ce17f9ac17c8dbf5b117f787
Link:
https://www.unpac.me/results/46e0284a-a85a-4d87-9f02-f2733fb20768/
SH256 hash:
1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
MD5 hash:
b2c1396260a5bf7289fbd08cdb3cc96d
SHA1 hash:
349ead630fb0f7f12fae208b573a255f12095ed1
Link:
https://www.unpac.me/results/46e0284a-a85a-4d87-9f02-f2733fb20768/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1083196/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1083197/
Cape
Cape
https://www.capesandbox.com/analysis/125869/

Comments