MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1df627a462077149e7a934ea1b758c8fccf34933f340fab14ca8976b4a6a5c20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1df627a462077149e7a934ea1b758c8fccf34933f340fab14ca8976b4a6a5c20
SHA3-384 hash: ee1e22d07a6e08ef5689becd5e4b1e5ece9c45675d8e51f381b7f7219987e122395b6b89d0fa72f5006743a924c1a399
SHA1 hash: ddfeb5cbe8b9ae528629fe5e8afea7a7ea8fe570
MD5 hash: 310fd2e6a2056c7983afd48b75b5ca88
humanhash: double-yellow-rugby-fillet
File name:310fd2e6a2056c7983afd48b75b5ca88.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'019'040 bytes
First seen:2021-03-10 17:31:25 UTC
Last seen:2021-03-10 19:45:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:YnOXBftNUU+PPLp8F/QiuQUjT7vWCCCfGKz:YnOxX+PPLp8FITTWCCCfz
Threatray 598 similar samples on MalwareBazaar
TLSH 8D257D2F7649DC50C50D2936C68B943893E28F466B3BE62E75C13B971B323DED90E089
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
310fd2e6a2056c7983afd48b75b5ca88.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 17:54:18 UTC
Tags:
rat redline trojan stealer
Link:
https://app.any.run/tasks/eada5b54-bbd7-4ef0-baea-80d275b98ad7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis310FD2E6A205.30183.17578.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/634834
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 17:32:07 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
masslogger
Create hunting rule
Similar samples:
0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c
RedLineStealer
2cd722bc4e448f38f4e79e69a48a7fc3f92c09586e50bc0f3f9f8dc5f4495fcc
RedLineStealer
3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5
RedLineStealer
5637daf1b0a5e312bf2118b89083c186fa32f074a12006ef7df0e49ce51f40c1
RedLineStealer
6db5c602b2b6eda92f499857a0e0944798b1b2988a004ae06db65d80df3b7145
RedLineStealer
70da4cb906561579f992801bfce2c3f1daf01833b292a9bd04545b7e0ee49fbd
RedLineStealer
7c19dad6af8b2138eb289abbf8f64664ddc07f8d9f715445e8774c3bff4fbb02
RedLineStealer
c566df7033c0aafb582e41c0d9656f6292b5ee997ec4eaef85e752ba0722848f
RedLineStealer
e38724644ed4643ebcdea6b0ae8345bf094d9f6e6d81b0acb244f96a3129077e
RedLineStealer
fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f
RedLineStealer
+ 588 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline agilenet discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210310-3qj7r5ggw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
RedLine
RedLine Payload
Unpacked files
SH256 hash:
1df627a462077149e7a934ea1b758c8fccf34933f340fab14ca8976b4a6a5c20
MD5 hash:
310fd2e6a2056c7983afd48b75b5ca88
SHA1 hash:
ddfeb5cbe8b9ae528629fe5e8afea7a7ea8fe570
Link:
https://www.unpac.me/results/3e920dca-9b74-428e-a482-de14733dcb51/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/1df627a462077149e7a934ea1b758c8fccf34933f340fab14ca8976b4a6a5c20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1df627a462077149e7a934ea1b758c8fccf34933f340fab14ca8976b4a6a5c20

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/993438/
  
Delivery method
Distributed via web download

Comments