MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f
SHA3-384 hash: 3244ec367a8151595d38795159734161d6647696c28194e6e5780cf6c7ffb6453b71fb304c7c80ca6d5e301661a224fe
SHA1 hash: 50163e90ff9d1921ca5a5097634f25124a6b50fb
MD5 hash: 14d9e9e29951389651ada7196394637d
humanhash: oxygen-bulldog-river-butter
File name:14d9e9e29951389651ada7196394637d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:18'944 bytes
First seen:2020-12-15 07:57:07 UTC
Last seen:2020-12-15 09:47:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 384:O7p3+30UdVSj16tDNZdiQeqpFDb3kOV0kY28:up3TUi16n2QeqFDj5M
Threatray 263 similar samples on MalwareBazaar
TLSH 5B82193277D5433DEAAA5B7480F942006571F642A602DFAFACC4A19257333864B627F7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://198.100.158.140:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
14d9e9e29951389651ada7196394637d.exe
Verdict:
Malicious activity
Analysis date:
2020-12-15 08:04:22 UTC
Tags:
rat redline trojan evasion
Link:
https://app.any.run/tasks/42a9b61d-bdf2-4608-bb18-dd491318bb5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108097/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.60676.2620.10873.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Sending a UDP request
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/563082
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f/
Threat name:
ByteCode-MSIL.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 02:12:31 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmkmighm4gpnuw772yruw4pltnqoxhyhzafdquh3ony75wjk2y7q._file
Verdict:
malicious
Similar samples:
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
RedLineStealer
29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
RedLineStealer
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
RedLineStealer
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
RedLineStealer
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
RedLineStealer
56f814347c8ec650f905e26cb30343d437b587d8f663ac6bbf4ae4ca483898e1
RedLineStealer
7d957b25b466f6b1eca625ad56a3472a83b2efc825a5d056a7d11b1b74f17fa3
RedLineStealer
c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424
RedLineStealer
d8ab8eb6d9e9fdb54f5d72254eafb2732342f8883ee96749bb8615ca196963bb
RedLineStealer
dbb953f1943fa6f07fcaad4f4469fc48a19dc1df34b2502ea8c7b789bedbfade
RedLineStealer
+ 253 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201215-fspz4zpcks/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f
MD5 hash:
14d9e9e29951389651ada7196394637d
SHA1 hash:
50163e90ff9d1921ca5a5097634f25124a6b50fb
Link:
https://www.unpac.me/results/f0a6285f-8026-4560-8747-db5364628239/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/896394/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108097/

Comments