MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 273e01236174022b9582e5479b8156cd4f725911a4973e2224b59086408647da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 273e01236174022b9582e5479b8156cd4f725911a4973e2224b59086408647da
SHA3-384 hash: 2f1b7ef41f8fe01f5b83f742201670bbe29b76e4e5b6829c516bf8171cb6b9e3e01b76bd28e98fcd06e278dc6abca901
SHA1 hash: 5f2b4a1939479159eb68c14deb15407450566854
MD5 hash: 2e71c4940edfd84639ec2e3ffba5bae5
humanhash: april-don-harry-tennis
File name:2e71c4940edfd84639ec2e3ffba5bae5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:74'240 bytes
First seen:2021-11-02 14:48:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 1536:8zQjeNhyTFfAtJ9fRsMqZe3XwuFbi6te3h2gf3JOLd:OqTFfAtJ9fRszyXhF5Y2gf3JOLd
Threatray 8'314 similar samples on MalwareBazaar
TLSH T1DF73A4B7416194A6C1882335F4721F0F3A78D6345984B698F04BF2EADC1D69D8EF83B9
File icon (PE):PE icon
dhash icon e82acdc9b9c6f2c2 (4 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e71c4940edfd84639ec2e3ffba5bae5.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 15:17:59 UTC
Tags:
trojan rat redline evasion
Link:
https://app.any.run/tasks/20deddaf-0950-466d-8233-9f5cd347478e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201494/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61814fe0bf51178dbe491164/reports/02899e2c-5215-428e-922c-41d64380bc1b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43c9d840-ecab-453f-a807-31d75b5823d8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/881405
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Submitted sample is a known malware sample
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513839 Sample: pkC8TFNk5b.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 105 Multi AV Scanner detection for submitted file 2->105 107 .NET source code contains method to dynamically call methods (often used by packers) 2->107 109 .NET source code references suspicious native API functions 2->109 111 10 other signatures 2->111 14 pkC8TFNk5b.exe 15 10 2->14         started        process3 dnsIp4 91 iplogger.org 88.99.66.31, 443, 49795, 49796 HETZNER-ASDE Germany 14->91 93 m525-blockchain31432.bar 172.67.213.114, 443, 49776, 49777 CLOUDFLARENETUS United States 14->93 95 2 other IPs or domains 14->95 67 C:\ProgramData\8806865.exe, PE32 14->67 dropped 69 C:\ProgramData\6091856.exe, PE32 14->69 dropped 71 C:\ProgramData\3951281.exe, PE32 14->71 dropped 73 4 other malicious files 14->73 dropped 97 Detected unpacking (changes PE section rights) 14->97 99 May check the online IP address of the machine 14->99 101 Performs DNS queries to domains with low reputation 14->101 19 8806865.exe 14->19         started        23 2205365.exe 14 3 14->23         started        25 3282539.exe 5 14->25         started        27 4 other processes 14->27 file5 signatures6 process7 dnsIp8 77 193.150.103.37, 29118, 49842 ASGENERALTELRU Russian Federation 19->77 115 Multi AV Scanner detection for dropped file 19->115 117 Detected unpacking (changes PE section rights) 19->117 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->119 135 2 other signatures 19->135 79 querahinor.xyz 45.129.99.59, 49797, 80 GMHOSTUA Estonia 23->79 81 api.ip.sb 23->81 121 Query firmware table information (likely to detect VMs) 23->121 123 Performs DNS queries to domains with low reputation 23->123 125 Machine Learning detection for dropped file 23->125 83 185.215.113.87, 49791, 51436 WHOLESALECONNECTIONSNL Portugal 25->83 127 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->127 129 Tries to steal Crypto Currency Wallets 25->129 131 Hides threads from debuggers 25->131 85 jordanserver232.com 104.21.60.71, 443, 49843 CLOUDFLARENETUS United States 27->85 87 glitterandsparkle.net 104.21.76.206, 443, 49786 CLOUDFLARENETUS United States 27->87 89 192.168.2.1 unknown unknown 27->89 133 Tries to harvest and steal browser information (history, passwords, etc) 27->133 29 mshta.exe 27->29         started        signatures9 process10 process11 31 cmd.exe 29->31         started        file12 75 C:\Users\user\AppData\Local\Temp\O0rNF.EXE, PE32 31->75 dropped 103 Submitted sample is a known malware sample 31->103 35 O0rNF.EXE 31->35         started        38 conhost.exe 31->38         started        40 taskkill.exe 31->40         started        signatures13 process14 signatures15 113 Machine Learning detection for dropped file 35->113 42 mshta.exe 35->42         started        44 mshta.exe 35->44         started        process16 process17 46 cmd.exe 42->46         started        49 cmd.exe 44->49         started        file18 65 C:\Users\user\AppData\Local\...\MGLZR6G.SL1, PE32 46->65 dropped 51 control.exe 46->51         started        53 conhost.exe 46->53         started        55 cmd.exe 46->55         started        57 cmd.exe 46->57         started        59 conhost.exe 49->59         started        process19 process20 61 rundll32.exe 51->61         started        process21 63 rundll32.exe 61->63         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/273e01236174022b9582e5479b8156cd4f725911a4973e2224b59086408647da/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 14:49:05 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
RedLineStealer
455f27d80de4e45fd405ae467ed2a7b9f8a1e050a27833d79b9ce05a6d72cef4
RedLineStealer
647c067b0bf2c8457c1d4153cf0635a662d709d881b231e06e7f307dbce46e12
RedLineStealer
661ea7579bf85b11440f6a18d9660a3e0038029ebe7e444d1f16095aa13d651a
RedLineStealer
93213a44c861db58c20e17afe5c5d0bfe63f9faf7aa7926bf6df3522dc73e35e
RedLineStealer
b94115f5638021ccf653c3de4c947632560d95d967d64b7b84860e813a8f692a
RedLineStealer
c074e0bdbf7af4d6bde127e16997f8a208666fc74f10f516352fea3fd255650b
RedLineStealer
e3f7e9749e7c09f339b8db5668fc34d98b04950f938084d557f10e3740558529
RedLineStealer
f70d4b4fc9941796d149798614345b8e8bf6e0c69022ac407cb8b03bf26fdc7c
RedLineStealer
+ 8'304 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211102-r61wjshhdl/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
2d63ee406d9559564430df4756da28b5fc11687c5fadaeac435b72258ce7085f
MD5 hash:
d93c270663bdac15ebb2762fd0d30ef3
SHA1 hash:
b982dfdf777b43526411d3604c6a58fd5af38f56
Link:
https://www.unpac.me/results/4faaf2f1-5acc-402e-9dfc-ae2b594701dd/
SH256 hash:
273e01236174022b9582e5479b8156cd4f725911a4973e2224b59086408647da
MD5 hash:
2e71c4940edfd84639ec2e3ffba5bae5
SHA1 hash:
5f2b4a1939479159eb68c14deb15407450566854
Link:
https://www.unpac.me/results/4faaf2f1-5acc-402e-9dfc-ae2b594701dd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/273e01236174/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/273e01236174022b9582e5479b8156cd4f725911a4973e2224b59086408647da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 273e01236174022b9582e5479b8156cd4f725911a4973e2224b59086408647da

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1734055/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201494/

Comments