MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33f6371aa2a9ab319f7292e4e589aff44894f639767cc174e487dc1672ee03d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33f6371aa2a9ab319f7292e4e589aff44894f639767cc174e487dc1672ee03d2
SHA3-384 hash: ce11dfb5259bdbc26bbfbe19a20b33607dbbdf6abb5e4c3b3cd0885b8be0c4c76d61c13cd7ffe76616ace8501d581ce7
SHA1 hash: 4f0887e551b79ef9ef0598c767a8db8fa0689fab
MD5 hash: 843a44fc8293f876b0568ac437ebcd8a
humanhash: lima-paris-paris-two
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.59811.8602.13414
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:459'264 bytes
First seen:2020-12-01 01:45:02 UTC
Last seen:2020-12-01 05:52:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:dyreLX7Uao0SjYTES/uoAv5v7j7AgQgcPMBakJzmrssscrUknYxDXLGk0fZqBhi:dWaw4rSv7jcgQglBa1dcGXCi
Threatray 60 similar samples on MalwareBazaar
TLSH 60A4AE5EAB5ACB06D0041DBA4AEB1D7803F7CED51932CB83B9957F188D34185FD42AAC
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106146/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.59811.14129.6688.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/551564
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33f6371aa2a9ab319f7292e4e589aff44894f639767cc174e487dc1672ee03d2/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-29 01:36:27 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gp3dogvcvgvtdh3sslsolcnp6rejj5rzoz6mc5heq7obm4xoapja._file
Verdict:
unknown
Similar samples:
0215f9dd19951e07aaa5ddfed10c4b46af716a8e3ce1ccb853f0992d14ee3e34
RedLineStealer
0d5bfc0c20d8142640a572b53e611015b225c0312faac51006c299e59a061a8a
RedLineStealer
40e054c5c315d144c46e4caab2eb10d61f71c8f3cb97a85e81b96ce6a306463d
RedLineStealer
446edc0d1f7fff55b43dc47d935ac4c8b4ec345a5edaf90f5ea2122d3137f19b
RedLineStealer
608d70c1cb35d04fa09469743651ee50e859d9ea016f7492bc53008de310deb7
RedLineStealer
91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c
RedLineStealer
96fadfece02fcc7d1b3f8e98c1df30dc61e9e8298543de46b54ad088f18aec59
RedLineStealer
b185c97cf356748005cda3b4ccb5a6df0e059c8869ba3b3f33595984bb60f380
RedLineStealer
f1d81ae5a4ea7a71d5d7147565fecca141a8e03148ef3c9e7583b9159923d17a
RedLineStealer
f9606e3e6dda93ec347cb4de7181ec53d26c6cbf7936097502170935d3afe0df
RedLineStealer
+ 50 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201201-l31rdcfrc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
33f6371aa2a9ab319f7292e4e589aff44894f639767cc174e487dc1672ee03d2
MD5 hash:
843a44fc8293f876b0568ac437ebcd8a
SHA1 hash:
4f0887e551b79ef9ef0598c767a8db8fa0689fab
Link:
https://www.unpac.me/results/2c60e25f-d5a6-4998-8a76-afec5268cdaa/
SH256 hash:
4712d7506803c5a5edc8f47bdcab56c276db2df5d06ff15cc204953f60c0579e
MD5 hash:
a2e246fd4783d819ea3aaf5d8e1c91f3
SHA1 hash:
04d2a2eabd0798c564174040f4809402dcf07b01
Link:
https://www.unpac.me/results/2c60e25f-d5a6-4998-8a76-afec5268cdaa/
SH256 hash:
c4e01acd68481a0d3ab695861583f6ec27c0f81d7c685e3ef1bb92720c5fd31f
MD5 hash:
c0e2775a8aa3fd64fc559db1ceda0d4d
SHA1 hash:
8760e3bf4d83a0ea92543c96999f32ff31c4f8c8
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/2c60e25f-d5a6-4998-8a76-afec5268cdaa/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/2c60e25f-d5a6-4998-8a76-afec5268cdaa/
SH256 hash:
ae7f8afbf8ad146781c2a82422a8c8517ae7a0513ead5bfb3bdca1ddcf0f91fe
MD5 hash:
f971dfa0a6aff5f7c0362b6b90f17a20
SHA1 hash:
fe7c6912e78ddc1a8fbf7c513a2902d2d2039bb2
Link:
https://www.unpac.me/results/2c60e25f-d5a6-4998-8a76-afec5268cdaa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33f6371aa2a9ab319f7292e4e589aff44894f639767cc174e487dc1672ee03d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 33f6371aa2a9ab319f7292e4e589aff44894f639767cc174e487dc1672ee03d2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/870977/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106146/

Comments