MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d21d56c6e2bb7643be411747eabf7c9eaf5316a1520e3a84f1363c53075d87c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 3 File information Comments

SHA256 hash:	2d21d56c6e2bb7643be411747eabf7c9eaf5316a1520e3a84f1363c53075d87c
SHA3-384 hash:	5cf2987094d556ae8f0c897a8df51e84ba6e3b0a850984c5f5fef690af109108c9ab4bbfcf4e381b2d1e2eb958e10498
SHA1 hash:	d3e4912cce03f627ab8da804fc0151c7815f5eb4
MD5 hash:	4b822ff53f5ad740eeaba9e1bb26ad68
humanhash:	cat-fruit-edward-bulldog
File name:	AMAZONORDER929293384PDF.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	940'032 bytes
First seen:	2021-10-22 18:44:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:KrRKzyKje6aY8FGjyDUYZluEhckcUkdH:ORKWKje6wQjcU+lrkt
Threatray	101 similar samples on MalwareBazaar
TLSH	T1FC156CA93144ECCFC4178F76445D9C20A1256CAB421BE30F31973A9A8EEE7D25A463DF
File icon (PE):
dhash icon	f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
136.144.41.204:34268

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
136.144.41.204:34268	https://threatfox.abuse.ch/ioc/236647/

Intelligence

File Origin

# of uploads :

# of downloads :

411

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/199508/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/617306b7a9d585e6d5356385/reports/2e2d0ec0-5c94-4cb3-ac5c-257af61e2ba6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/77262e0b-9d1a-443f-810f-b10e1fa63551

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/875398

Signature

.NET source code contains potential unpacker

Connects to many ports of the same IP (likely port scanning)

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses dynamic DNS services

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d21d56c6e2bb7643be411747eabf7c9eaf5316a1520e3a84f1363c53075d87c/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2021-10-22 18:26:41 UTC

AV detection:

14 of 44 (31.82%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fuq5k3dofo3wio7ecf2h5k7xzhvpkmlkcuqohkcpcnr4kmdv3b6a._file

Verdict:

malicious

RedLineStealer

1adfef6c467845d28da8364481e3a857c03ba6f1a058d5ecc061f3761c0993ba

RedLineStealer

800346e0531230e0cde13dad6e6795fbf298fdc95c97481f6c28c4a1043227ce

RedLineStealer

9534643f38e9d47c07b32097a951351d0b24da96927b5dc8f9e84e9cb371915e

RedLineStealer

b19eaf0721dd26a606c22a8e988f7a0c36a52587214169a3e59ad61e2fecb267

RedLineStealer

d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a

RedLineStealer

da184b3620bfaede69d888624cc3971efd9a72c58941a358d58f63e8d7eeffef

RedLineStealer

fdb8321fe5919f80f19b679e4f918e707713cf52f734d0815e27a52f7cc19d50

RedLineStealer

+ 91 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211022-xd4pmacad6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

3817cef5914da7a9028769b613a8dd5f88680682e7367ea4f07683dd10a89921

MD5 hash:

94fc81c23ae78305ac06853ffc30c6cc

SHA1 hash:

e83c6a9d44e67112c01e8cfa0a42d982f1cf4694

Link:

https://www.unpac.me/results/017b8f71-667a-40dd-ad8a-91cb85f049f2/

SH256 hash:

61a13e4c50c8a9d263b418534964f11ec6918809fdb405b8f4c6687790d71280

MD5 hash:

d148573c5d55b3ce3d0518eba8925187

SHA1 hash:

af0463e7a2f714154141c57c8f6410c34397cd29

Link:

https://www.unpac.me/results/017b8f71-667a-40dd-ad8a-91cb85f049f2/

SH256 hash:

6fee24a1398bb022d0c5b9059b9b21e7636fc3861866a583d0e49b7d0ca56d58

MD5 hash:

36e2528c3cb3ad299ea481283687cdd6

SHA1 hash:

1981340bc7be1aa8f78f942fc6f0724838e35a87

Link:

https://www.unpac.me/results/017b8f71-667a-40dd-ad8a-91cb85f049f2/

SH256 hash:

2d21d56c6e2bb7643be411747eabf7c9eaf5316a1520e3a84f1363c53075d87c

MD5 hash:

4b822ff53f5ad740eeaba9e1bb26ad68

SHA1 hash:

d3e4912cce03f627ab8da804fc0151c7815f5eb4

Link:

https://www.unpac.me/results/017b8f71-667a-40dd-ad8a-91cb85f049f2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2d21d56c6e2bb7643be411747eabf7c9eaf5316a1520e3a84f1363c53075d87c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/199508/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample