MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2937afa694e2560413f2860dd1b71019b1b89839b08317a9d79a651a80486645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	2937afa694e2560413f2860dd1b71019b1b89839b08317a9d79a651a80486645
SHA3-384 hash:	2a62f7de31e46bc2dc92cf86de853c94dec460fe07d58f1b04d8ad5ce9d901c1459963e25c237df4cac56c4840a736fc
SHA1 hash:	dfd1cf8d18c7dfbfb42db3c60afc2d35b0597f64
MD5 hash:	b134f49f0fa367b536ce1d05ec03fbd0
humanhash:	diet-angel-charlie-tango
File name:	b134f49f0fa367b536ce1d05ec03fbd0.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	682'496 bytes
First seen:	2021-02-17 06:57:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:87VY7qo9PDAILnEmo34oguuaHxKlbAVCw9dwTyuRHdHYJV:GBSPUbmo34vLY84dweu43
Threatray	671 similar samples on MalwareBazaar
TLSH	D4E49D2A3E47DC16C3991535E1A3903493B3C546276BD307BFCA22952E627EE7C0D6CA
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/117497/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42845.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% directory

Deleting a recently created file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/609875

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/2937afa694e2560413f2860dd1b71019b1b89839b08317a9d79a651a80486645/

Threat name:

ByteCode-MSIL.Infostealer.Stealgen

Status:

Malicious

First seen:

2021-02-17 05:16:00 UTC

AV detection:

10 of 29 (34.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fe327juu4jlaie7sqyg5dnyqdgy3rgbzwcbrpkoxtjsrvacimzcq._file

Verdict:

malicious

Label(s):

masslogger

RedLineStealer

1cc84d3c06c9a283218310ac6d69e7161fd7605339b78035747c6f51021475ff

RedLineStealer

69a34116377032442c113adb0490c641f4af86b04fb8a2027f094d3678674915

RedLineStealer

7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9

RedLineStealer

8247e9152d0b43ffa80b4c82843bb0903043841c8b9c855ff312461f6443faf4

RedLineStealer

8e395f386862d95d1a2837a56ffac8ec6a8dacd3e61fac1912f1960ada8c5abd

RedLineStealer

ab726a7fa6bca9c0d71686c601534a575530461a42160f7c74e3eae694f64012

RedLineStealer

c7ea090c263f8b67203a9b0a291d1f2711821bd8489caad226f44a4b588a4579

RedLineStealer

caee9387d7ef6216014c68f4acb557c2eaee0b6e9dd79141288eb1d9d06bf30c

RedLineStealer

d8b71994b025ebed63397309543305e2fb8f463025eb94b020abce565d346329

RedLineStealer

+ 661 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware

Link:

https://tria.ge/reports/210217-3sfk6ryds2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788

MD5 hash:

987ce346069cf47535e5ac57265c7228

SHA1 hash:

d0085325ed78fcac6d1f605753237abd1c40db22

Link:

https://www.unpac.me/results/1ab4ac68-7e22-46fd-8069-dbbe59033eeb/

SH256 hash:

4ebaf869fd7722cc03727741e88a78b86f0efb0bc01148e3980c399c7dfd2198

MD5 hash:

b215670dcc49a139baaf3d33e63ad9cf

SHA1 hash:

968d1d8e912d29cd613f6737a1a58cbb59cbc0b2

Link:

https://www.unpac.me/results/1ab4ac68-7e22-46fd-8069-dbbe59033eeb/

SH256 hash:

fe62b1a4777cb591002b74955336a1e9a3b2f6d0b4a66fee890a5c1726f850fe

MD5 hash:

f916de616651a75762805d6509d16ff0

SHA1 hash:

31c83042a25f9a9e30c268ea2bf16cc0d5135b49

Link:

https://www.unpac.me/results/1ab4ac68-7e22-46fd-8069-dbbe59033eeb/

SH256 hash:

2937afa694e2560413f2860dd1b71019b1b89839b08317a9d79a651a80486645

MD5 hash:

b134f49f0fa367b536ce1d05ec03fbd0

SHA1 hash:

dfd1cf8d18c7dfbfb42db3c60afc2d35b0597f64

Link:

https://www.unpac.me/results/1ab4ac68-7e22-46fd-8069-dbbe59033eeb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.67

Link:

https://yomi.yoroi.company/submissions/2937afa694e2560413f2860dd1b71019b1b89839b08317a9d79a651a80486645

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 2937afa694e2560413f2860dd1b71019b1b89839b08317a9d79a651a80486645

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/934843/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/117497/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample