MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
SHA3-384 hash:	75ef86f214be8122e25fb09bd30a2e5034537a017f0f603c435d25c3f2344bb01e4c544201894dba9ee2507e5f448260
SHA1 hash:	84505c3ae38421fa4dc6017c8d7e27e9b106cdc9
MD5 hash:	1c55d28dcdcf93370495635d3d64e2fd
humanhash:	mirror-india-papa-uniform
File name:	1c55d28dcdcf93370495635d3d64e2fd.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	391'680 bytes
First seen:	2020-12-07 19:18:11 UTC
Last seen:	2020-12-07 20:38:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2af0e18fcdc1fd07a460ae34537d4b16 (1 x RedLineStealer)
ssdeep	6144:N1OtlrYH8rmHLR1oqQzDtH3CKSS3G2eAe6J8zsFfjak7qvDY0sZChCK:3WlprmHFyq+N31SS3GzAe6J8zE+UqgEj
Threatray	168 similar samples on MalwareBazaar
TLSH	CA84DF023690E073C15569315921C7B58A7EBC7069155E0BBFC9BEBE2F347E3D6A230A
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://dovakl.xyz/IRemotePanel

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1c55d28dcdcf93370495635d3d64e2fd.exe

Verdict:

Malicious activity

Analysis date:

2020-12-07 20:20:03 UTC

Tags:

rat redline trojan evasion phishing

Link:

https://app.any.run/tasks/624ee793-d814-4a9d-8ce4-4334c52526bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107086/

Detection(s):

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/557274

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-12-07 00:25:20 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f3d4qr7qncg76mrjyz3lwfpiryofo26lm4kxgqmip76duibxkgia._file

Verdict:

unknown

RedLineStealer

3d2d9b8e5738024ffaa470410dfae954d73f049fdb2619be6864e399f3da6390

RedLineStealer

457aecc9187cb32bf4a2678fdf61450f013a48460d454e986bae391b03b3cb10

RedLineStealer

53694d09899c9de1600743b37ab45e9dc4e3eaf329dc410e87a3b7318d943012

RedLineStealer

7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb

RedLineStealer

8f479fb175685aa848118801d06cdf077c087265494d2c931b50ab2074ba7183

RedLineStealer

b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04

RedLineStealer

bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222

RedLineStealer

d94a672fd4dc3fd14b52c67d37822efd114ed1bbecc49633bbf74509843380a1

RedLineStealer

dfb1f00592d6264a6bf3ad8b02187dfad62d1526fa5b32e667cd6bf884d4db85

RedLineStealer

+ 158 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201207-rx4798vk62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

RedLine

Unpacked files

SH256 hash:

2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190

MD5 hash:

1c55d28dcdcf93370495635d3d64e2fd

SHA1 hash:

84505c3ae38421fa4dc6017c8d7e27e9b106cdc9

Link:

https://www.unpac.me/results/4fe718be-2577-4f84-bc37-ce93b713f25e/

SH256 hash:

9c8fdb790fcea764ede30a0bf1baef5c02877b55be5306f01e4adc7e0cfe63f8

MD5 hash:

6b48bbb31ce92c2f960fd5b23c680f6e

SHA1 hash:

0ce63eea9942a08f8a1bcf1e7c8bc0b68683659c

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/4fe718be-2577-4f84-bc37-ce93b713f25e/

SH256 hash:

479978b70408563ed6b3e90834c07a5120cb765a297cffe27f0ede3dff5850ed

MD5 hash:

d0cce6f0fbb19f92461d34edbc8b5ec6

SHA1 hash:

af858cd7205c79d8495c293439d9838a5fddf8ac

Link:

https://www.unpac.me/results/4fe718be-2577-4f84-bc37-ce93b713f25e/

SH256 hash:

483b56d648af330bf2fbf69745ac9f7fe483ba1f207eb479ff54cf7e3975f3f1

MD5 hash:

7356752a74682cd36e10a22bb7f5746d

SHA1 hash:

bd6eb04aa77089dfdda5a7b42c0262af99c4db80

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/4fe718be-2577-4f84-bc37-ce93b713f25e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/882082/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/107086/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample