MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2872f74fbf7bd3e63d2dec6c9f1521bce6b38a6718ea67d123a21908634c45ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 1 File information Comments

SHA256 hash:	2872f74fbf7bd3e63d2dec6c9f1521bce6b38a6718ea67d123a21908634c45ef
SHA3-384 hash:	69fc15df765476a8d75adbcc8988076a568f9bc82488f630f068dda325d83c6aff2dbe90a5f0798366d0c084fa217146
SHA1 hash:	7cc253c5d3c4e6ecbc26a5074d6378f10b9ed260
MD5 hash:	77b320b2bfd537a3a375c8349d43cfd3
humanhash:	beer-may-yankee-beryllium
File name:	77B320B2BFD537A3A375C8349D43CFD3.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	238'095 bytes
First seen:	2021-04-21 07:16:45 UTC
Last seen:	2021-04-21 08:02:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	384:qVckyLm6DTpsFSepmrf/kq6kYcV6QUiJFZb:ackyLm6CmIiYcV6Ti9b
Threatray	54 similar samples on MalwareBazaar
TLSH	3934F921A3D4417AC6354532AC236B051EBBD67F6E1B866F348C691F7F732108723BA9
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
93.115.20.205:3312

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
93.115.20.205:3312	https://threatfox.abuse.ch/ioc/9352/

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

77B320B2BFD537A3A375C8349D43CFD3.exe

Verdict:

Malicious activity

Analysis date:

2021-04-21 07:22:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a8d8b3c6-0dda-4d3d-be5d-0801149801ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/141869/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36731933.14271.29383.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Deleting a recently created file

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2872f74fbf7bd3e63d2dec6c9f1521bce6b38a6718ea67d123a21908634c45ef/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2021-04-18 05:03:57 UTC

AV detection:

10 of 29 (34.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fbzpot57ppj6mpjn5rwj6fjbxttlhcthddvgpujduimqqy2mixxq._file

Verdict:

malicious

RedLineStealer

1536e8e12d95c8e705387cc6ca8c14dad8e7d3f59ba7971a25cbd05b48a04d0c

RedLineStealer

29e91bd8d9f38798bc24f4447b7f3ba7fd908ffaff436217b6c6c6d3508f7284

RedLineStealer

33c04f77c2590ff87733bdbf3d0226a7b6614276620f0dd3c279fffbf5ad1d8a

RedLineStealer

530b1e78bd5bdde0546fb70e6f9537003dae474c918bcde154e2c90394286a33

RedLineStealer

78cf294b91a04cbedfab6ea4bc77ed0e912e2076be8d623529c62e1c49fb338f

RedLineStealer

c32ac26ceb3ea5b87c5187682cd69d3c1b58ed9362aa8660e3ec8d9d07d4f5a5

RedLineStealer

e99f37f96959011aa58267233f120986aefa12831c9bfbff3b3cdee7914f9d7f

RedLineStealer

f4346c9695322212bcbd3ca0cd0fea6e91d34448b278a1dd5af766020f86aeb6

RedLineStealer

fe1ae654313a1525714c509f438b835f5ab342303c76f3cf7360a50043516493

RedLineStealer

+ 44 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1704 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210421-m6v7ke3kkx/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

adwrdsearch.xyz:3312

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/2872f74fbf7bd3e63d2dec6c9f1521bce6b38a6718ea67d123a21908634c45ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/141869/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample