MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33ca0e126781911285eecf450b3a6970e971abe3e03d6261186ec10674bf2319. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33ca0e126781911285eecf450b3a6970e971abe3e03d6261186ec10674bf2319
SHA3-384 hash: 94c2b181209ddd7b94641e627121c2e5fb1bae6a3d597d149a7cdfdbd81c6547a5b481df6ef8eebdbd60bcaf1c173784
SHA1 hash: 6ffbd31c4a062da96c2c146a1a2b81f4da9754ff
MD5 hash: f54bf2ee1f10189aa99477761c1c4705
humanhash: magnesium-sixteen-autumn-equal
File name:PGMB7666799210001PDF.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:642'048 bytes
First seen:2020-10-21 10:03:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:1ML6ROZ2x+FzHv2PJUi321jCaY/7EO11F0HASiyyjK:SLT++FzHOPJUjjCD/4MJd8
Threatray 20 similar samples on MalwareBazaar
TLSH 89D49E423184DD99E0672BF6446FD12023F4BD9FC265C60D3F86BA1B65E770220ABB5E
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
Malspam distributing RedLineStealer:

HELO: usegreenco.com
Sending IP: 50.78.187.17
From: Lydia Yonkers<sales@usegreenco.com>
Subject: Quote Request
Attachment: PGMB7666799210001PDF.IMG (contains "PGMB7666799210001PDF.exe")

RedLineStealer C2:
http://maranaty.xyz/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73991/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Creating a process from a recently created file
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505613
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301852 Sample: PGMB7666799210001PDF.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected RedLine Stealer 2->61 63 11 other signatures 2->63 10 PGMB7666799210001PDF.exe 3 2->10         started        process3 file4 39 C:\Users\...\PGMB7666799210001PDF.exe.log, ASCII 10->39 dropped 71 Injects a PE file into a foreign processes 10->71 14 PGMB7666799210001PDF.exe 3 10->14         started        signatures5 process6 file7 41 C:\Users\user\AppData\Local\...\chrome.exe, PE32 14->41 dropped 43 C:\Users\user\...\chrome.exe:Zone.Identifier, ASCII 14->43 dropped 73 Tries to harvest and steal browser information (history, passwords, etc) 14->73 18 chrome.exe 3 14->18         started        21 cmd.exe 1 14->21         started        signatures8 process9 dnsIp10 65 Injects a PE file into a foreign processes 18->65 24 chrome.exe 15 22 18->24         started        45 127.0.0.1 unknown unknown 21->45 67 Uses ping.exe to sleep 21->67 28 conhost.exe 21->28         started        30 PING.EXE 1 21->30         started        signatures11 process12 dnsIp13 47 api.ip.sb 24->47 49 WHOIS.RIPE.NET 193.0.6.135, 43, 49733 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 24->49 51 7 other IPs or domains 24->51 69 Tries to harvest and steal browser information (history, passwords, etc) 24->69 32 cmd.exe 1 24->32         started        signatures14 process15 signatures16 53 Uses ping.exe to sleep 32->53 55 Tries to harvest and steal browser information (history, passwords, etc) 32->55 35 conhost.exe 32->35         started        37 PING.EXE 1 32->37         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33ca0e126781911285eecf450b3a6970e971abe3e03d6261186ec10674bf2319/
Threat name:
ByteCode-MSIL.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 21:40:52 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gpfa4ethqgirfbpoz5cqwotjoduxdk7d4a6weyiyn3aqm5f7emmq._file
Verdict:
suspicious
Similar samples:
253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1
RedLineStealer
5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a
RedLineStealer
5d2fa0d44c473d9306e4b644140d52c3f97f0ad861e60440f154639278296ca2
RedLineStealer
70195e1ff5377fe53bd4faecadf3464e16c36d2859385a616ea6f343ff773ee7
RedLineStealer
be4f7ec80edb008a8ce1fdac488f14fb652f21ccd87cda469c80c866ab7ef912
RedLineStealer
be6d4618333f5bca53591236f870ab7d368843e7b32b3333d97a4a72d920559a
RedLineStealer
c275838c21fb95937bac4d383e415c16170a5fa05706c1f1939020beac90f2f9
RedLineStealer
c68e4b825434bac34abd9d5428ea2c30fc60c8b47db17de743782825687547d5
RedLineStealer
d0d44ccb48b649e89a18773ccea8337047e57247d29dbedc1abab31f265e7e45
RedLineStealer
e504a9d064697f26b43c0f35c14055ebf01509e0f6b421c3997ed89f830117ff
RedLineStealer
+ 10 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla persistence discovery infostealer family:redline
Link:
https://tria.ge/reports/201021-m2j7q7exke/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
33ca0e126781911285eecf450b3a6970e971abe3e03d6261186ec10674bf2319
MD5 hash:
f54bf2ee1f10189aa99477761c1c4705
SHA1 hash:
6ffbd31c4a062da96c2c146a1a2b81f4da9754ff
Link:
https://www.unpac.me/results/e3b23dfe-f290-484e-90e1-8b9471aaaf78/
SH256 hash:
f12f65ad480143f224a6554e3b39891d15a02a4c4304a4e612d5e96effed7589
MD5 hash:
4c11d729b6ad8fa9958c57d0bc1fe7a1
SHA1 hash:
3aa0702ca1cab84adcd7747979f98108d59006a6
Link:
https://www.unpac.me/results/e3b23dfe-f290-484e-90e1-8b9471aaaf78/
SH256 hash:
d3e37e1d010a43011f61b3db7e696ef6aa050d8e7137e1195b4f177bfdeb9cbe
MD5 hash:
3621510e89eaf78c166e89b75cfa965e
SHA1 hash:
664a65321ce3bad4ba32cd556c57bb1e107b2c3b
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/e3b23dfe-f290-484e-90e1-8b9471aaaf78/
Parent samples :
33ca0e126781911285eecf450b3a6970e971abe3e03d6261186ec10674bf2319
22e8a783296dcabf49cb2c9b5f5a05b1cf670591e71130b08424a450aa54c419
b28088f23be9a22ed95c6ff500e48e8958c7fff6eb288f890665ec6399a6e2af
SH256 hash:
4ad7891a7427e64890beeffd0a40fc6bfbada1e3c4c2c8f4e01833d0b95a14a7
MD5 hash:
c572ea7d28c0b2199ec965e7a306c44d
SHA1 hash:
9d787f17de95214c507348f3f960da6616a8df1d
Link:
https://www.unpac.me/results/e3b23dfe-f290-484e-90e1-8b9471aaaf78/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/e3b23dfe-f290-484e-90e1-8b9471aaaf78/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_redline_stealer_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:Detects unpacked main component of Redline Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

img 1b3fb9ba285170c77f93034baa7ca4cb33df3049ba929dd6e63277758395a1d7

RedLineStealer

Executable exe 33ca0e126781911285eecf450b3a6970e971abe3e03d6261186ec10674bf2319

(this sample)

  
Dropped by
MD5 7f79250fa4af22af181424849f1fec02
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73991/
  
Dropped by
SHA256 1b3fb9ba285170c77f93034baa7ca4cb33df3049ba929dd6e63277758395a1d7

Comments