MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b6bce478fac3fcfe4e2d44aedbd325c7720b9792c055fe70bc3b9a3ddcc9373. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b6bce478fac3fcfe4e2d44aedbd325c7720b9792c055fe70bc3b9a3ddcc9373
SHA3-384 hash: 78c67a40a2051bc7728ce0c764d884c839c6423ab779a215fcd52f6f5162cee3ecc7626d24bc364007aef85cfebe3e93
SHA1 hash: 6bbbbfda91a74ddad344a2bfd30bc53ef4b46be0
MD5 hash: 0bd5ec266136fec04dc16c1fc4ba6f22
humanhash: bravo-oranges-apart-cat
File name:RD.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:248'832 bytes
First seen:2021-02-01 09:55:58 UTC
Last seen:2021-02-01 11:39:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep 6144:tbSORziBxUIO4RVEcf1gZIcv49KgLjrYcnHCV7U8+qJ8L:RRziBG4RXa1v49VLrHO/+
Threatray 59 similar samples on MalwareBazaar
TLSH F634E101C292097BC1AD74BDB54223C38AB7751B9CB12A7584CBB25A4BDF20D7063BDB
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cp8.cpanelhosting.rs
Sending IP: 217.26.215.48
From: office@zsv-novisad.com
Subject: Confirm your payment
Attachment: invoice-2019.iso (contains "RD.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RD.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 10:02:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f601e27-dc43-440e-8e80-60021863b862

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114468/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/595209
Signature
Binary contains a suspicious time stamp
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346644 Sample: RD.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 96 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected RedLine Stealer 2->36 38 5 other signatures 2->38 7 RD.exe 1 2->7         started        11 System5.exe 1 2->11         started        process3 file4 24 C:\Users\user\AppData\Local\...\RD.exe.log, ASCII 7->24 dropped 40 PowerShell case anomaly found 7->40 13 powershell.exe 15 7->13         started        17 RD.exe 15 2 7->17         started        42 Injects a PE file into a foreign processes 11->42 20 System5.exe 14 2 11->20         started        signatures5 process6 dnsIp7 26 C:\Users\user\AppData\Roaming\...\System5.exe, PE32 13->26 dropped 28 C:\Users\user\...\System5.exe:Zone.Identifier, ASCII 13->28 dropped 44 Drops PE files to the startup folder 13->44 46 Powershell drops PE file 13->46 22 conhost.exe 13->22         started        30 129.213.102.96, 49729, 49732, 49733 ORACLE-BMC-31898US United States 17->30 file8 signatures9 process10
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2b6bce478fac3fcfe4e2d44aedbd325c7720b9792c055fe70bc3b9a3ddcc9373/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 09:56:23 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnv44r4pvq747zhc2rfo3pjslr3sbolzfqcv7zylyo42hxomsnzq._file
Verdict:
malicious
Similar samples:
08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b
RedLineStealer
195014dababb9cb3fc685529d52dcd58a764f231a59b07a68f6673c454d831ee
RedLineStealer
4822c7636f2dcdfd1dcac8af813496dbe4d1cb4e5d88fec4e175d87bbdbaafbf
RedLineStealer
4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e
RedLineStealer
68e1ab10c0906ad3d54599d03150938a0e00533060251b1223b76440e4d51b6a
RedLineStealer
85dd5d9ef955400038cae7ac32f2931c3b6966792bbfd353f14627c2261f2d9c
RedLineStealer
91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c
RedLineStealer
931210400364c50e45ab51294521789d451406a9538a38fd99cce928c9188f53
RedLineStealer
d94be77dfbd21d042637633b3dbbe689953c9385f011746cca6dd253cfa1c133
RedLineStealer
e846c73b8c02eb9abc0e42d17bb3f3b501e6c4a327d3308b2d16cffa7a813638
RedLineStealer
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210201-tbxgp24dks/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/478c5886-c6d5-4ad6-bd92-e3cbe57b952c/
SH256 hash:
b874c88bdaf40783e7a9a733a88a09825d4127ddbe333739d41576d84b4b4d61
MD5 hash:
831103285d0366a7e25c21bc52b43027
SHA1 hash:
9e06e7ce1ddb8209c3b2c0f35dc1f65a2fb12ea4
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/478c5886-c6d5-4ad6-bd92-e3cbe57b952c/
SH256 hash:
2b6bce478fac3fcfe4e2d44aedbd325c7720b9792c055fe70bc3b9a3ddcc9373
MD5 hash:
0bd5ec266136fec04dc16c1fc4ba6f22
SHA1 hash:
6bbbbfda91a74ddad344a2bfd30bc53ef4b46be0
Link:
https://www.unpac.me/results/478c5886-c6d5-4ad6-bd92-e3cbe57b952c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b6bce478fac3fcfe4e2d44aedbd325c7720b9792c055fe70bc3b9a3ddcc9373

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_redline_stealer_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:Detects unpacked main component of Redline Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

iso 1bc52eebe1503adb39064c727b9ad5c23957e0ee2a329b45705fced8eccf2b68

RedLineStealer

Executable exe 2b6bce478fac3fcfe4e2d44aedbd325c7720b9792c055fe70bc3b9a3ddcc9373

(this sample)

  
Dropped by
MD5 7cc6dc068b5b09380a3c197f0857e102
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1bc52eebe1503adb39064c727b9ad5c23957e0ee2a329b45705fced8eccf2b68
Cape
Cape
https://www.capesandbox.com/analysis/114468/

Comments