MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d6594dae8104135ded8e7ccb1adb6805ef9d770d866b8786dec290a639c9920. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d6594dae8104135ded8e7ccb1adb6805ef9d770d866b8786dec290a639c9920
SHA3-384 hash: ddd98395a22d507ebdae27197a151b610dcb1eaf707df64122326525bf94d65a75eb96532ed5f0db6c507e7aaf231993
SHA1 hash: c5c7b81bb487e7a97edc0679f2d744d5f28a4ccc
MD5 hash: 9a44b63f32b586099420810f08c13873
humanhash: robert-april-low-two
File name:9a44b63f32b586099420810f08c13873.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:609'280 bytes
First seen:2021-03-10 12:29:26 UTC
Last seen:2021-03-10 13:45:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:3lt47KQCRDN16HW3mQJWFsna2mAUpdnK6gLNpfuTw1OuZiv1tx7wa3GXobfArK4I:nfBr5NJG/JdnK5/u6t8vznauOKVK
Threatray 46 similar samples on MalwareBazaar
TLSH 40D45BC1E499FDD9D43811B6A972A5282263A65FF4B59D3F28B7700860B7383A077D0F
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9a44b63f32b586099420810f08c13873.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 12:32:56 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/a206cb3c-5ccb-4df4-a876-853a83122fba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123621/
Detection(s):
SecuriteInfo.com.Variant.Bulz.387399.29328.25396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/634360
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 12:30:08 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvszjwxicbatlxwy47gldlnwqbpptv3q3btlq6dn5ququy44teqa._file
Verdict:
malicious
Similar samples:
002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9
RedLineStealer
4f5a1f4b9e455ab7f9ca41af17f4fef53c5dbe28e6767ca069ff3d1931847fa6
RedLineStealer
616939c7c18fb2b2003c879f8e5cf41fbd7e4291fda08e969592dcc213ed4941
RedLineStealer
75ae1751515b48d24859c91fd08bd0595d84decb06566c1d3eec6363b0be9d82
RedLineStealer
8308508b1aa9b9843efceb21bfa235bbe44b86b3979a4dffae301b3ec8c0bce2
RedLineStealer
8a3d133145f60e13d148354f3f98de719db9c64d80f0538f53028f9bdc075a72
RedLineStealer
badb1739d819774ec20371577cb5435f40fd9943258fb3fbff14f078884c58e4
RedLineStealer
e575af9a4b8de92d24859894514462f2c9ab0a5cb16cf1798a55c923613cd13c
RedLineStealer
e58ef47a566a73ad01ce7a37c178d1fce2a3282882f814997aab487200cf8005
RedLineStealer
e9a66c730fa980242a636338edc5351b82fc20ac3425b6bc1f3e4ec5ed8a5fe2
RedLineStealer
+ 36 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware
Link:
https://tria.ge/reports/210310-w4pr4l48r6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
3a34daa4689f312ea9ae79f66b29f6de9fc022e63c950ad1badfab55593073da
MD5 hash:
a83e37dcb725757a9754e1e63ae98c08
SHA1 hash:
a37a9a4f7a34152c6ae39a141867069754055434
Link:
https://www.unpac.me/results/346bca00-3887-480f-b722-cc8a887bddcb/
SH256 hash:
1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc
MD5 hash:
8f85df46a482b5b068ae7667bf1a33d6
SHA1 hash:
a210d369311aa4d709dc962c634174738576907e
Link:
https://www.unpac.me/results/346bca00-3887-480f-b722-cc8a887bddcb/
SH256 hash:
70e082c7474ff3fd7046d6c6d0661d1aa65f44da858402894b443bdde1f8fa2e
MD5 hash:
99747bf4414056441ffb3e1f0aa4a35e
SHA1 hash:
26be7a0a23adb58e9b4f54ea3ac94c298d85a56c
Link:
https://www.unpac.me/results/346bca00-3887-480f-b722-cc8a887bddcb/
SH256 hash:
1d6594dae8104135ded8e7ccb1adb6805ef9d770d866b8786dec290a639c9920
MD5 hash:
9a44b63f32b586099420810f08c13873
SHA1 hash:
c5c7b81bb487e7a97edc0679f2d744d5f28a4ccc
Link:
https://www.unpac.me/results/346bca00-3887-480f-b722-cc8a887bddcb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/1d6594dae8104135ded8e7ccb1adb6805ef9d770d866b8786dec290a639c9920

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1d6594dae8104135ded8e7ccb1adb6805ef9d770d866b8786dec290a639c9920

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/123621/
  
URLhaus
https://urlhaus.abuse.ch/url/1011491/
  
Delivery method
Distributed via web download

Comments