MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f74bff32ab2d757c7ff5e771be792eac495e84ec7e50cd7541e3fb8a1fdaf61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f74bff32ab2d757c7ff5e771be792eac495e84ec7e50cd7541e3fb8a1fdaf61
SHA3-384 hash: 81735e078a60c48da6a152e7d76afc39592edbd09fff453c5667b411591fb81a42cd2faed59980f7818dfbf65ef43f98
SHA1 hash: 729cf939c035d31c079dcf4ffefa4b3590bea2ed
MD5 hash: 7bb6b658088cd69dca087e3a3f54ad73
humanhash: avocado-muppet-autumn-hotel
File name:log2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:413'696 bytes
First seen:2020-10-14 02:38:24 UTC
Last seen:2020-10-15 14:28:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:v7Dk0m+XekNCamHsvUILyu3MejqDBXwpJ:TDasM1FItqBXwp
Threatray 92 similar samples on MalwareBazaar
TLSH 689429036E9488CBF05614F6FD19482F8250CBC4608BEF2BA565763D51EBB602BDED39
Reporter Lokesh42651261
Tags:RedLineRAT RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70650/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.34064.13166.1562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Deleting a recently created file
Reading critical registry keys
Replacing files
Running batch commands
Searching for the window
Launching a process
Connection attempt to an infection source
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP POST request to an infection source
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/490548
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f74bff32ab2d757c7ff5e771be792eac495e84ec7e50cd7541e3fb8a1fdaf61/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 18:31:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f52l74zkwllvpr77lz3rxz4s5lcjl2coy7sqzv2udy73rip5v5qq._file
Verdict:
malicious
Similar samples:
115da9e10213d298ad85f927376dc0d1c51a1227dd254f12d8234355b7cc8f8b
RedLineStealer
3808406b1791c3ded2f4c0d969e4141d613fc5695d72afe9bc299488d115a048
RedLineStealer
3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd
RedLineStealer
411ce03275828c11e70ff5a393221295f20cce99eaea12d003242e389eab30bc
RedLineStealer
692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8
RedLineStealer
7125dae23916e0b17700b1282450897c2fcf025d507c9dc5353dd7bb7fe140b3
RedLineStealer
c41873f177a61ec1e1cb628db96cddd70204b8a530e392bf210d7d4136be7375
RedLineStealer
d0e642197915ade19fb4c2df299063e49ed7f650e4b3b6ee90d4f0d626b900c3
RedLineStealer
e38724644ed4643ebcdea6b0ae8345bf094d9f6e6d81b0acb244f96a3129077e
RedLineStealer
f7289a6b1ebe784cb27873f8c8afb492d2ed9316b794f9aa13088d0a58c4c6db
RedLineStealer
+ 82 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla discovery infostealer family:redline
Link:
https://tria.ge/reports/201014-bhhjp94ag2/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
5334db1da64c0ee5490e0f722ff2a7d1cdabcdf144410a2b7b7a4eac9a98d07f
MD5 hash:
8a49fa7235ec85fbb2e2b24f4089650b
SHA1 hash:
edc7e40729ba8f96d189b3852cc578e32459553a
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/8f083721-208f-4c17-a754-f30109e64126/
SH256 hash:
e701fb86e8a1f4b01fa60855b2e3bf77cd3f5c7f324e92e3155d0c62fe463b02
MD5 hash:
0b4f851db751bd2bf53c7dc62a977bea
SHA1 hash:
0fb504dae753f876a34f956bc85d2f214e6ee9b3
Link:
https://www.unpac.me/results/8f083721-208f-4c17-a754-f30109e64126/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/8f083721-208f-4c17-a754-f30109e64126/
SH256 hash:
2f74bff32ab2d757c7ff5e771be792eac495e84ec7e50cd7541e3fb8a1fdaf61
MD5 hash:
7bb6b658088cd69dca087e3a3f54ad73
SHA1 hash:
729cf939c035d31c079dcf4ffefa4b3590bea2ed
Link:
https://www.unpac.me/results/8f083721-208f-4c17-a754-f30109e64126/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f74bff32ab2d757c7ff5e771be792eac495e84ec7e50cd7541e3fb8a1fdaf61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Executable exe 02d3e29c37af562636fd0020a6c586711fbbab3838a82dbd25987d14ed919c65

RedLineStealer

Executable exe 2f74bff32ab2d757c7ff5e771be792eac495e84ec7e50cd7541e3fb8a1fdaf61

(this sample)

  
Dropped by
MD5 92c266fc98140a485fb46d6cc41fc0fc
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/70650/
  
URLhaus
https://urlhaus.abuse.ch/url/690726/

Comments