MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 267ca80ba7f91e7982bed38464198b13be2a517b2db425e4f9e3af39f003248d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 267ca80ba7f91e7982bed38464198b13be2a517b2db425e4f9e3af39f003248d
SHA3-384 hash: aef7796651c72db41f9ec672acf09415448ac842e5544666feaebe806e8d18272f4c085bcdf6ea22cd881795a0757ac6
SHA1 hash: c04d4250fbb3f1008a5def6ebf42e9db55ee067f
MD5 hash: ed9061148832c3d96a9215c96293ec25
humanhash: saturn-missouri-undress-summer
File name:26202886.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:571'392 bytes
First seen:2022-03-19 05:12:19 UTC
Last seen:2022-03-19 06:42:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:QEsXcQ4rOMjsh0oQWHq8nELQS03ULaHNqrxlKIQNoM+/lf9NX6Z13Rzk1cVQy2:MXAOM60XWdELkEaHNYK3cNfX6ZRFk1ck
Threatray 1'717 similar samples on MalwareBazaar
TLSH T1B8C4234BCA88FE14C4C717B02FAA8C8DD7454C60E9A1D60EE16FB907DD714B7EA05B15
Reporter adm1n_usa32
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/252921/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6235665fb94fb38cb4aa542e/reports/31639a74-69a8-4d7d-9792-78fcee4f350d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a36ec80-4bf1-45fa-be39-70d2a2e2a6fd
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960011
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Detected VMProtect packer
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592493 Sample: 26202886.exe Startdate: 19/03/2022 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 6 other signatures 2->40 7 26202886.exe 1 2->7         started        process3 signatures4 42 Writes to foreign memory regions 7->42 44 Allocates memory in foreign processes 7->44 46 Injects a PE file into a foreign processes 7->46 10 AppLaunch.exe 15 7 7->10         started        15 conhost.exe 7->15         started        process5 dnsIp6 22 file-coin-coin-10.com 87.251.79.158, 49770, 80 RISS-ASRU Russian Federation 10->22 24 188.68.205.115, 17645, 49756 ITNET33RU Russian Federation 10->24 26 192.168.2.1 unknown unknown 10->26 20 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 10->20 dropped 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->48 50 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->50 52 Tries to harvest and steal browser information (history, passwords, etc) 10->52 54 Tries to steal Crypto Currency Wallets 10->54 17 fl.exe 2 10->17         started        file7 signatures8 process9 signatures10 28 Antivirus detection for dropped file 17->28 30 Multi AV Scanner detection for dropped file 17->30 32 Machine Learning detection for dropped file 17->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/267ca80ba7f91e7982bed38464198b13be2a517b2db425e4f9e3af39f003248d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-19 05:13:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ez6kqc5h7ephtav62ocgigmlco7cuul3fw2clzhz4oxtt4adesgq._file
Verdict:
malicious
Similar samples:
1f302a689174433c1abdb486b2b3c623f0df74766e63ccc608e678ba142432ea
RedLineStealer
25a1dd6991b1cb883351b337bf26ed84eaa84b276e9a430e34efa2265d058856
RedLineStealer
4b415f57ac7f2c6fbe7c0a984e819197866fa04b9f88651ab6ede076a7c76c60
RedLineStealer
55a7d2b17477a6d16a1666e267e9bdbb1d6201b0fa07dfb20d2fb5a1b184024d
RedLineStealer
5a37e85ddf1b693cb2e938710a4fc0cea30062eb784ad5b8cecd0d1170d5da6f
RedLineStealer
81dd784ad8e4a6924b1b0ee5ebf09d3018e3bda4225f3c89439e8846cf5e09d9
RedLineStealer
8df6d0e3f95fb3f04f6316d2dbeb59ee9a20e2ff9c91953fab95b6f11b968bba
RedLineStealer
af5c1edc2e290ba4ecafee0f7f5b02182e5df7672ce8004ba3bafd320f2592f3
RedLineStealer
e59a89138d5d7d96b4336b9323be581e35b3056180cc4fcf2844027534d5c189
RedLineStealer
+ 1'707 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220319-fwfbbaccd8/
Behaviour
Program crash
Unpacked files
SH256 hash:
7082653dcc84ac1a4b87675fbba6ce0d5a53316b2246e1ee72d39a2565ab6060
MD5 hash:
a04c2595a2f26457a376ab9306d8fd78
SHA1 hash:
e8d68655ced8e81d97d25608d2d26a858c2363af
Link:
https://www.unpac.me/results/a946b2dd-8989-4764-a7f1-65bc3ef8c851/
SH256 hash:
d8f01a50e3150478c8683992b679e88661f2a21fa3f743409e85104a884842ea
MD5 hash:
ab0a48076159ce12fc959ffb212b891a
SHA1 hash:
0e98fabd0d67da4f7885dc68922a4d2fc229cef7
Link:
https://www.unpac.me/results/a946b2dd-8989-4764-a7f1-65bc3ef8c851/
SH256 hash:
267ca80ba7f91e7982bed38464198b13be2a517b2db425e4f9e3af39f003248d
MD5 hash:
ed9061148832c3d96a9215c96293ec25
SHA1 hash:
c04d4250fbb3f1008a5def6ebf42e9db55ee067f
Link:
https://www.unpac.me/results/a946b2dd-8989-4764-a7f1-65bc3ef8c851/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/267ca80ba7f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/267ca80ba7f91e7982bed38464198b13be2a517b2db425e4f9e3af39f003248d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/252921/

Comments