MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b0519e3978cea744b220f109077b4b012dc4e9856be838588f0cad62cb8c31b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 11 File information Comments

SHA256 hash:	2b0519e3978cea744b220f109077b4b012dc4e9856be838588f0cad62cb8c31b
SHA3-384 hash:	a6b22ded20611076f210a802b3d9ed1df643dfa524b91eb9ca3422ed50ed80f8c47ae77c3603a44f42f4d80dde632dd8
SHA1 hash:	801778ba97a84a2a6d3835a6dfdc97bfcafecc4b
MD5 hash:	94c2c236ef4d030354e7c26b184d9c59
humanhash:	fruit-muppet-winner-cola
File name:	2b0519e3978cea744b220f109077b4b012dc4e9856be8.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	578'560 bytes
First seen:	2021-11-26 18:31:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:VcgHBrnF5H0LsQ9mD+jr7WO/RxEl9NSFs0k7FbE5ksCxh5lPgPsa9KV9WUUlwRXu:VLhHJCj1/RMHZbEkN3WaRhm610ee
Threatray	306 similar samples on MalwareBazaar
TLSH	T154C4AF1FA203C950F549BF74D6339F6523A0BDB39C68C24763987A7D942E7782E85382
File icon (PE):
dhash icon	5fdb19b9ccdc9ce0 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.134.225.35:7821

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.134.225.35:7821	https://threatfox.abuse.ch/ioc/254996/

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2b0519e3978cea744b220f109077b4b012dc4e9856be8.exe

Verdict:

Malicious activity

Analysis date:

2021-11-26 18:35:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6cc31f18-4e49-4965-b6bb-99e524fdced6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Dropper.Generic-7113183-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Launching a process

Creating a process with a hidden window

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Sending a TCP request to an infection source

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61a12825b71ceed41531f2f2/reports/803f64b2-77be-470a-9a84-758292962c0e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/625004f9-84c2-4e1c-b931-3392b832eff3

Result

Threat name:

AsyncRAT RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/896929

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AsyncRAT

Yara detected Costura Assembly Loader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b0519e3978cea744b220f109077b4b012dc4e9856be838588f0cad62cb8c31b/

Threat name:

ByteCode-MSIL.Trojan.AgentAGen

Status:

Malicious

First seen:

2021-11-26 18:21:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fmcrty4xrtvhiszcb4ija55uwajnytuyk27ihbmi6dfnmlfyymnq._file

Verdict:

suspicious

RedLineStealer

19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0

RedLineStealer

293e9d691076d1b23090f9df8a3605b61448dc83126990cbde71ff97563bbc1a

RedLineStealer

3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b

RedLineStealer

5a365cea38015694af35724920fdc42f98d84e93586d18ad7a1fe83d1687366b

RedLineStealer

65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770

RedLineStealer

736a674fa02f8e3035c2ea7c3698b36db0feb980b83522578e0c6e2aab05d0e3

RedLineStealer

c49e618be06e9a4b4b8fd428ccef9fed7e6dfcecb93583eb505272b117838202

RedLineStealer

+ 296 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:asyncrat family:redline botnet:6666----bot buy----6666 botnet:botbuy discovery infostealer rat spyware stealer

Link:

https://tria.ge/reports/211126-w6l5lshbh8/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Async RAT payload

AsyncRat

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.134.225.35:7821
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808

Unpacked files

SH256 hash:

e5477748007e83263ad6e306d1d63cea51e87bc5e3de6ccbc8e8f2b01912329a

MD5 hash:

6c78807ba5f387e9671b7e08c08fa4fa

SHA1 hash:

e4dc09488ab553c23eef74a464b3d5579eed736b

Link:

https://www.unpac.me/results/66eee56a-9815-4ace-9f78-2644ea0c3e0c/

SH256 hash:

2b0519e3978cea744b220f109077b4b012dc4e9856be838588f0cad62cb8c31b

MD5 hash:

94c2c236ef4d030354e7c26b184d9c59

SHA1 hash:

801778ba97a84a2a6d3835a6dfdc97bfcafecc4b

Link:

https://www.unpac.me/results/66eee56a-9815-4ace-9f78-2644ea0c3e0c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2b0519e3978cea744b220f109077b4b012dc4e9856be838588f0cad62cb8c31b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample