MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28520250ac9a5fc3eb106075215660125fa6d6bdf7109a16ebf95fb55f5d4152. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28520250ac9a5fc3eb106075215660125fa6d6bdf7109a16ebf95fb55f5d4152
SHA3-384 hash: a2481b753719675d395573c0ad675278ed1fa02ba61673f4a2bfd19bcf45df93dc098e1f26edece4f2051636e9ccc168
SHA1 hash: 39f2448ff963f1b4270562f89a4fc7a7167bafef
MD5 hash: b2e1d7a2ff80bb51c66a2802a8274658
humanhash: mango-venus-wolfram-utah
File name:b2e1d7a2ff80bb51c66a2802a8274658
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'044'992 bytes
First seen:2022-09-10 11:37:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:pzai41hw4e/ehLrz0Bk4CAHoLANXkTpPb9sD80M3eGgAWsEl8rIHcZ4n6n1hw4e/:XL4LJDAHQAN0TpBs40M3eHztucHq904
Threatray 1'667 similar samples on MalwareBazaar
TLSH T18A253B0B21950994C87251BCA4CCC5734BAADE45E637C949BFCA9CEFF592F2C42D23A1
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10d2c4f0f2d2b030 (10 x Loki, 8 x AgentTesla, 7 x Formbook)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
570
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
b2e1d7a2ff80bb51c66a2802a8274658
Verdict:
Malicious activity
Analysis date:
2022-09-10 11:40:21 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/36e53ab1-2b75-4b7c-9378-a6915f389838

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309131/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4025.UNOFFICIAL
Create hunting rule

Win.Dropper.LokiBot-9967675-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/631c7799a90642bcbbfb278d/reports/aa1d6636-aa77-4254-b7d1-d94962377ab4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a539b35-131f-40f6-a4d6-93a911c8819b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1068195
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 700727 Sample: 7vXmO0PD7c.exe Startdate: 10/09/2022 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for domain / URL 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 10 other signatures 2->41 7 7vXmO0PD7c.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\oVdxwT.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp97EF.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\...\7vXmO0PD7c.exe.log, ASCII 7->29 dropped 43 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->43 45 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 2 other signatures 7->49 11 7vXmO0PD7c.exe 15 27 7->11         started        15 powershell.exe 21 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 api.ip.sb 11->31 33 192.3.223.202, 3652, 49718, 49721 AS-COLOCROSSINGUS United States 11->33 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Tries to steal Crypto Currency Wallets 11->53 19 conhost.exe 11->19         started        21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        signatures8 process9
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/28520250ac9a5fc3eb106075215660125fa6d6bdf7109a16ebf95fb55f5d4152/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 20:37:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbjaeufmtjp4h2yqmb2scvtacjp2nvv564ijufxl7fp3kx25ifja._file
Verdict:
malicious
Similar samples:
02a1835ea805bb1a6ca8d1706fa5a811279ec3fcb1524eb83cfa60f0314cf0dd
RedLineStealer
3b6ebee77ad8b21b22a9841ba224dd5f23091f9c6d6989c17640f0c7d0a5a759
RedLineStealer
479a0ad3ffb8b00a030937613e4b771adff17964c737ab73be28c151bb15ba7c
RedLineStealer
52d2b97b5764ac00ef36008b56a2fb67bac160ff828e60f1d33bc9fa97ddd5ea
RedLineStealer
91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
RedLineStealer
98bb91d8c80f060020b8b49a0a13a1c2cd0f3f5faf1aaad75b0825511ab06fd5
RedLineStealer
b7e115be3acc119d6acb00f79694a8656feeed1d0435ab30d6e782fc617c9f72
RedLineStealer
bf3a1b2e79a4c242512126a1d7ec6caff97f2c3b53745f0ea7820a5fe190e114
RedLineStealer
d1157cde4155b66880bf8d8f4ad4c7158dbbf73598a1cf62c8cb883a1f0edd4c
RedLineStealer
dd905894bd06f37b177dda986cd4378e3bafb3a991c15f8f430b23f24498223f
RedLineStealer
+ 1'657 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sb9s5ylxvj discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220910-nrqkgsdgbr/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
192.3.223.202:3652
Unpacked files
SH256 hash:
732796ac02d3b7016d485980a7e226394596c721f28566179735d469d76919d3
MD5 hash:
4a175a77633c083be3dbb908febd02bd
SHA1 hash:
dde9998737895fed639edf606cb502c2b6546242
Link:
https://www.unpac.me/results/ed3ee886-1e4b-4716-a476-674430032324/
SH256 hash:
8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63
MD5 hash:
dbc7be56e6e32349315170599c8b333f
SHA1 hash:
d8e5840e3574b87d435e55a65ac648e040871aee
Link:
https://www.unpac.me/results/ed3ee886-1e4b-4716-a476-674430032324/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/ed3ee886-1e4b-4716-a476-674430032324/
SH256 hash:
368a8dfe1848a8cf2d0cfc38b522248d0b33bbb9bec7eda02712d98c4098ce8c
MD5 hash:
7119cb9c78c804a696c9f2eedf0fd10b
SHA1 hash:
084f3c2ce0946d1012856f6ec0e65d2dbbeaf5e9
Link:
https://www.unpac.me/results/ed3ee886-1e4b-4716-a476-674430032324/
SH256 hash:
16c7ab2c217e7ebd6f2a579d2c9af9dc00e6181249eac58de97aaa537a056200
MD5 hash:
5cd4c1c31cead5d31ae486276e175a96
SHA1 hash:
0503df956fc07c7985a5f2438a8ea676cb85d7cf
Link:
https://www.unpac.me/results/ed3ee886-1e4b-4716-a476-674430032324/
SH256 hash:
28520250ac9a5fc3eb106075215660125fa6d6bdf7109a16ebf95fb55f5d4152
MD5 hash:
b2e1d7a2ff80bb51c66a2802a8274658
SHA1 hash:
39f2448ff963f1b4270562f89a4fc7a7167bafef
Link:
https://www.unpac.me/results/ed3ee886-1e4b-4716-a476-674430032324/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28520250ac9a5fc3eb106075215660125fa6d6bdf7109a16ebf95fb55f5d4152

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 28520250ac9a5fc3eb106075215660125fa6d6bdf7109a16ebf95fb55f5d4152

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2298641/
Cape
Cape
https://www.capesandbox.com/analysis/309131/

Comments


Avatar
zbet commented on 2022-09-10 11:37:31 UTC

url : hxxp://208.67.105.179/mazx.exe