MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e47364a4a6b1e59a75a72a91a759daa67c9f4e4101c1231fb6b236026a8a743. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e47364a4a6b1e59a75a72a91a759daa67c9f4e4101c1231fb6b236026a8a743
SHA3-384 hash: 96ce60c81a021088d688897bf96822cd9595421d29fb1dae0aeb42690372664870c81179b1df00b18851e47653e8197b
SHA1 hash: 7b9e171d962d46101fd05b7f7c5f027af7a6dd6a
MD5 hash: a9e31a79a0d032567fbe184a958b50b0
humanhash: fifteen-low-monkey-river
File name:RFQ-23511-MACHINE QUOTATION.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:825'344 bytes
First seen:2022-02-17 17:16:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:zIpVAT08H22qla5w/yXbxsgi9ekjSu7NikWwW:UpCY8H0MW/IbxXigMJdWwW
Threatray 555 similar samples on MalwareBazaar
TLSH T12F054A58D671DE90E998213B44F537152E2DAE718CCFBA0734AC347ECEBA795AE101C8
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
2.56.56.182:3631

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.56.56.182:3631 https://threatfox.abuse.ch/ioc/388506/

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242305/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620e8323a2660f3bb9f2ba18/reports/98140ebd-bf2a-4c4f-8603-423c0d5f09b9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/011b569d-60fe-470d-8e48-9d4de41579b5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941777
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 574251 Sample: RFQ-23511-MACHINE QUOTATION.exe Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 42 api.ip.sb 2->42 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 6 other signatures 2->58 8 RFQ-23511-MACHINE QUOTATION.exe 2 2->8         started        signatures3 process4 file5 40 C:\...\RFQ-23511-MACHINE QUOTATION.exe.log, ASCII 8->40 dropped 60 Injects a PE file into a foreign processes 8->60 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 8 other processes 8->19 signatures6 process7 signatures8 62 Uses ping.exe to check the status of other devices and networks 12->62 21 PING.EXE 1 12->21         started        24 conhost.exe 12->24         started        26 PING.EXE 1 15->26         started        28 conhost.exe 15->28         started        30 PING.EXE 1 17->30         started        32 conhost.exe 17->32         started        34 PING.EXE 1 19->34         started        36 PING.EXE 1 19->36         started        38 13 other processes 19->38 process9 dnsIp10 44 yahoo.com 74.6.231.21 YAHOO-NE1US United States 21->44 46 98.137.11.163 YAHOO-GQ1US United States 30->46 48 192.168.2.1 unknown unknown 34->48 50 74.6.143.25 YAHOO-3US United States 36->50
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e47364a4a6b1e59a75a72a91a759daa67c9f4e4101c1231fb6b236026a8a743/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 14:37:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzdtmssknmpftj22okuru5m5vjt4t5hecaobemp3nmrwajviu5bq._file
Verdict:
malicious
Similar samples:
0de18df0637c0de4b977f564a2eb26ba5971073690db6bf115c5e26750550716
RedLineStealer
11b348d29d7d59db775a985722a30da76b6a897333e288ed8726b42330c6a85c
RedLineStealer
274422d8fb0a807ee41552012c99ca2573555c43a3314968554836c1646f4c15
RedLineStealer
2fd574e3e15ee251f7d97e87d9824b2db0a5c150d1e7be37e7814a16796f4b18
RedLineStealer
48adb6d06f1851c1febdf05eb2691b5ea68d6d47a08c67045ccbde8760c5680e
RedLineStealer
59d85b8d5e9cd2deb0142c7d2d884ca7aca4a450bc65bb0057dfbee1b169cd20
RedLineStealer
5a8455f269d1c9db4c93fc09554a32f25b865bd151cb587d88a37ec961d42df3
RedLineStealer
67901cd2dfa1b1abd362722379f677dfef008d40fc2b65b1aa2359840f58320f
RedLineStealer
9709c3782dd9ec6c7d501c55041beb7b417801b0bb46af7c37334509a3e3dade
RedLineStealer
+ 545 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:xl discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220217-vtsaescdc6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
2.56.56.182:3631
Unpacked files
SH256 hash:
cece069722214591a68f28243577ac6eb13eb9c8f510f52a1aaa215810790782
MD5 hash:
ae4540720ac7cb35251d79ccedb2230d
SHA1 hash:
16d9b71f082b1303e28c94be9172d17e4e392953
Link:
https://www.unpac.me/results/a6fb2844-ee20-497a-b921-979a3fb530c9/
SH256 hash:
64cb4337c0ec587d5900cee53ef36fbaf1c43eac3c1ad433e5ce5f839d5c63c9
MD5 hash:
112c144b93fd06d6eccc905f8250d5c0
SHA1 hash:
9aab0bc897cc2a2d91ef3212bfd4cef6a298567f
Link:
https://www.unpac.me/results/a6fb2844-ee20-497a-b921-979a3fb530c9/
SH256 hash:
6e9de5c009fb5e3b7ef09e7011c73101057c8ae333d9c6007ae589c929689199
MD5 hash:
7a86c02c89e034f4451e1ddc568a363d
SHA1 hash:
6eeeb126bb779aa2190c8ca2ff6dd899e2de0718
Link:
https://www.unpac.me/results/a6fb2844-ee20-497a-b921-979a3fb530c9/
SH256 hash:
1e47364a4a6b1e59a75a72a91a759daa67c9f4e4101c1231fb6b236026a8a743
MD5 hash:
a9e31a79a0d032567fbe184a958b50b0
SHA1 hash:
7b9e171d962d46101fd05b7f7c5f027af7a6dd6a
Link:
https://www.unpac.me/results/a6fb2844-ee20-497a-b921-979a3fb530c9/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1e47364a4a6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/1e47364a4a6b1e59a75a72a91a759daa67c9f4e4101c1231fb6b236026a8a743

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242305/

Comments