MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 260191afe0e066cf63b69262018f62ac4d3fa02cd2188440f9d678de671772ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 260191afe0e066cf63b69262018f62ac4d3fa02cd2188440f9d678de671772ff
SHA3-384 hash: a7964bf79f7175dcb978eb1171d3294627215d35020d56d112ab7844bf4b3eaef4d9672870461c61843982a78f1a929d
SHA1 hash: da64f8642efa8822bfd7c22b203b88e2dd85d7b2
MD5 hash: 30cca49642792de486fd227403b99c01
humanhash: pizza-ink-virginia-lactose
File name:260191afe0e066cf63b69262018f62ac4d3fa02cd2188440f9d678de671772ff
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'300'536 bytes
First seen:2022-05-20 06:54:50 UTC
Last seen:2022-05-20 07:59:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b9c3c1592f11f23844ce8b62fe6373ac (7 x RedLineStealer, 1 x Neurevt, 1 x ArkeiStealer)
ssdeep 24576:gTEywpaA6a9Vwd6Hc+yDmUOe1ivDN8vQVdNWVycFtFpHCv/+TrQYhwbnZfO:gTEn6EKIHsZKvDN8YQVUH4rQ1no
TLSH T19855123062B98072F5B220F055B1C766252BBDDA9B6083EB83C7E1B5771A9F48C76713
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f1c8cce8f0d4f031 (1 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe exxon-com RedLineStealer signed

Code Signing Certificate

Organisation:exxon.com
Issuer:GeoTrust RSA CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-30T00:00:00Z
Valid to:2022-09-02T23:59:59Z
Serial number: 0a2787fbb4627c91611573e323584113
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: f9e9a60c1cd232d58217be558fa89445516e19674d9c719ee35b8b7ffa692873
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
260191afe0e066cf63b69262018f62ac4d3fa02cd2188440f9d678de671772ff
Verdict:
Malicious activity
Analysis date:
2022-05-20 06:58:23 UTC
Tags:
trojan rat redline evasion stealer
Link:
https://app.any.run/tasks/0ab29340-2a9d-49d1-be2f-a4e2c1dc105a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272874/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.49027058.22559.21258.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19138/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62873b5b3ec49f83a6b8cd50/reports/4b8219ee-82b2-4e31-9ddd-557b151687fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71a4cc58-9102-4a24-84eb-94ef531e5877
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998327
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Found malware configuration
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 630821 Sample: nSRXNSkbYX Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 9 nSRXNSkbYX.exe 2->9         started        process3 signatures4 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 12 InstallUtil.exe 15 8 9->12         started        process5 dnsIp6 29 65.21.213.209, 32936, 49754 CP-ASDE United States 12->29 31 bitbucket.org 104.192.141.1, 443, 49760, 49761 AMAZON-02US United States 12->31 33 3 other IPs or domains 12->33 27 C:\Users\user\AppData\Local\Temp\flname.exe, PE32+ 12->27 dropped 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->59 61 Tries to harvest and steal browser information (history, passwords, etc) 12->61 63 Tries to steal Crypto Currency Wallets 12->63 17 flname.exe 2 12->17         started        file7 signatures8 process9 signatures10 35 Antivirus detection for dropped file 17->35 37 Multi AV Scanner detection for dropped file 17->37 39 Machine Learning detection for dropped file 17->39 20 cmd.exe 1 17->20         started        process11 signatures12 49 Encrypted powershell cmdline option found 20->49 23 powershell.exe 23 20->23         started        25 conhost.exe 20->25         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/260191afe0e066cf63b69262018f62ac4d3fa02cd2188440f9d678de671772ff/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-15 18:05:57 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eyazdl7a4btm6y5wsjradd3cvrgt7ibm2imiiqhz2z4n4zyxol7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@watercloudrobot infostealer spyware suricata
Link:
https://tria.ge/reports/220520-hpsdeaefg5/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
RedLine
RedLine Payload
Malware Config
C2 Extraction:
65.21.213.209:32936
Unpacked files
SH256 hash:
7dd06e7cd18e564d53a6f43987e0047b72fd3e2481dad648fa4eaeeb78d01751
MD5 hash:
ffe416cb9166b6d792ed63b159b159ae
SHA1 hash:
532c1d45e425c4a6bb87d25261b4abac74b0b538
Link:
https://www.unpac.me/results/aed389af-7960-4d48-b21d-7132ffa562d6/
SH256 hash:
9115be1346027c2b3748d9f47047a66aad5bee435fe20e9e9ce397a72147f4ac
MD5 hash:
a62a56f1cdee9e239bd41a6c6619b796
SHA1 hash:
a2f2d00bcd41c3233ce2d0ae1cc509001b3b3d18
Link:
https://www.unpac.me/results/aed389af-7960-4d48-b21d-7132ffa562d6/
SH256 hash:
fce41e997568461785380de45f79e99350831dc79e25780b29747ab351d3cd05
MD5 hash:
8ce1dab0008deb9b16bbf635429ddacb
SHA1 hash:
107c67c23b7c381658f5c8a10f1966d1fc7b892b
Link:
https://www.unpac.me/results/aed389af-7960-4d48-b21d-7132ffa562d6/
SH256 hash:
260191afe0e066cf63b69262018f62ac4d3fa02cd2188440f9d678de671772ff
MD5 hash:
30cca49642792de486fd227403b99c01
SHA1 hash:
da64f8642efa8822bfd7c22b203b88e2dd85d7b2
Link:
https://www.unpac.me/results/aed389af-7960-4d48-b21d-7132ffa562d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/260191afe0e066cf63b69262018f62ac4d3fa02cd2188440f9d678de671772ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272874/

Comments