MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1
SHA3-384 hash: 35a4660d63bd9ab232b992cd755999a4ada8a30e818fb376cefd40005730e422addcc75bff63f5b87f9cee728a65f164
SHA1 hash: 3b9c77848c99bb15bc6faf5d327080f92f47cb0c
MD5 hash: 4b155568c93b744eadea5dd3baa57945
humanhash: alpha-florida-kansas-bravo
File name:GMC New Order 18-2938PDF.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'083'904 bytes
First seen:2020-10-07 05:02:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rZIlvNiGcVKNRVa4Divv6W/6iQmAmHFbAhQb9o7vj+SiyyjK:NIlYG6o1GEirAmlsmbkKd8
Threatray 12 similar samples on MalwareBazaar
TLSH 1E35AD412288499BF123A4B5956FC47066B5AC8A8514C68D3FC2ED3FFACFB8170E674D
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
Malspam distributing RedLineStealer:

HELO: acehardware.com
Sending IP: 108.31.118.24
From: Will McCann<sales@acehardware.com>
Subject: Quote Request
Attachment: PGMB New Order 18-2938PDF.img (contains "GMC New Order 18-2938PDF.exe")

RedLineStealer C2:
http://wolf957.duckdns.org:35253/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68759/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Stealing user critical data
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483627
Signature
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294264 Sample: GMC New Order 18-2938PDF.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected RedLine Stealer 2->38 40 Yara detected AntiVM_3 2->40 42 11 other signatures 2->42 8 GMC New Order 18-2938PDF.exe 3 2->8         started        process3 file4 26 C:\Users\...behaviorgraphMC New Order 18-2938PDF.exe.log, ASCII 8->26 dropped 46 Injects a PE file into a foreign processes 8->46 12 GMC New Order 18-2938PDF.exe 15 22 8->12         started        16 GMC New Order 18-2938PDF.exe 8->16         started        signatures5 process6 dnsIp7 30 wolf957.duckdns.org 198.46.238.102, 35253, 49738 AS-COLOCROSSINGUS United States 12->30 32 www.geoplugin.net 12->32 34 8 other IPs or domains 12->34 48 Tries to harvest and steal browser information (history, passwords, etc) 12->48 18 cmd.exe 1 12->18         started        signatures8 process9 dnsIp10 28 127.0.0.1 unknown unknown 18->28 44 Uses ping.exe to sleep 18->44 22 conhost.exe 18->22         started        24 PING.EXE 1 18->24         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 00:51:59 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eu3jsqmzdeae7n2hoqcqvpl5ae3tmoab7fu222s2txmwzesdbcyq._file
Verdict:
unknown
Similar samples:
082f1317f03b76584194dc5b800ed466cc1fbef34ef63a6019c2dc1de47212ed
RedLineStealer
09cb72a7bbb6ed837874193fcecdc231ed9d87752d1d1f668e7afcb2f10440de
RedLineStealer
516f16ca6f1b1ec44cb6c21f9849ceb0e7474adffce7530d1fe46c4483e5c27f
RedLineStealer
551022935cb64a9df1e36625a3be468c99a25086b505a4dba1c533f3f749c7a4
RedLineStealer
8611b66792009b09d0b2459319d53f4bc276400c55db9ebeb88527526d727156
RedLineStealer
8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007
RedLineStealer
aa10af5c6a92dc01b8ba38871c9a1b111cc36a6e0f6d1a039b5ba624bb700a36
RedLineStealer
ca1104a79514d23f1d60fc6e92e626a6a29c3b217bdf30324237c7d12c5dfb10
RedLineStealer
e281f0b064faeff8de9de21c7bd3ef3b385decbeb9cb69cc72035c02c1571eb4
RedLineStealer
fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f
RedLineStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer discovery spyware infostealer family:redline trojan family:agenttesla
Link:
https://tria.ge/reports/201007-zyx4b7ycex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1
MD5 hash:
4b155568c93b744eadea5dd3baa57945
SHA1 hash:
3b9c77848c99bb15bc6faf5d327080f92f47cb0c
Link:
https://www.unpac.me/results/fb48dc2d-5013-4330-89f3-19becfa9f9ca/
SH256 hash:
9c1446386569be2d0162b385eb104b04e14d2b5183259a23db05aecfa4e4c427
MD5 hash:
7b13a72967571248ddc9e545a65a0333
SHA1 hash:
1e49f92cc1df9d4d86504a9c365fa95105690ec7
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/fb48dc2d-5013-4330-89f3-19becfa9f9ca/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/fb48dc2d-5013-4330-89f3-19becfa9f9ca/
SH256 hash:
5cba02b2cd55dfb9c3a15a726957b06bf42adbc67036225a664af32132e3b91f
MD5 hash:
eb34a2a9c125071c448233b5593863f3
SHA1 hash:
4750942bc55ee3601b72f5c8c3e31a24c31b2eb2
Link:
https://www.unpac.me/results/fb48dc2d-5013-4330-89f3-19becfa9f9ca/
SH256 hash:
383c89d8aeb8051d4c91758a81d52bd49fc976c011ea2b844b4c6c0948ff1381
MD5 hash:
ccb2e4350ccf7f7066df1d39a734a888
SHA1 hash:
a40890612a4c40b55b70c53dfb6f76f98b383f3e
Link:
https://www.unpac.me/results/fb48dc2d-5013-4330-89f3-19becfa9f9ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

img 154b094a0357d82ab9e90f1d15d1a9bf5a433f928b510eb05c69a06bb36ea604

RedLineStealer

Executable exe 253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1

(this sample)

  
Dropped by
MD5 21614302c56ebde877aefeb1c22bc40b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68759/
  
Dropped by
SHA256 154b094a0357d82ab9e90f1d15d1a9bf5a433f928b510eb05c69a06bb36ea604

Comments