MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 356726b20529e961530d6f9045365a126afccf42db8b47dbffb3aa222e55f78d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 356726b20529e961530d6f9045365a126afccf42db8b47dbffb3aa222e55f78d
SHA3-384 hash: 2d6099bad54bc5aa319d7156cc322186d6bc4c004b89159a5fba6d321903ad8ad0e31229a7121696e21718a315371d3f
SHA1 hash: f9d9cf41fceff297b6d4fff3fa5ab61be40e3591
MD5 hash: 65c52651f68f8e165607ececcb5984ad
humanhash: illinois-nevada-sweet-sierra
File name:65C52651F68F8E165607ECECCB5984AD.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:45'592 bytes
First seen:2021-06-28 23:30:51 UTC
Last seen:2021-06-29 00:34:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:EA6MKV0qp4/oxcGeNRFyJztP5HKPI3tASgOL1SHBzpjPYT//M4+67csH2s/L0Gf4:ED0H/MkgzR5qPI9AS0VNYQ36Aiq84OA
Threatray 518 similar samples on MalwareBazaar
TLSH BB233C5644A4B14AE9934CF01A54EC763E3CA7B21C80D10DE466D25CCF87BEA74DCAEE
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.35:23276

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.35:23276 https://threatfox.abuse.ch/ioc/155444/

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
65C52651F68F8E165607ECECCB5984AD.exe
Verdict:
Malicious activity
Analysis date:
2021-06-28 23:32:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15b6507e-576d-4e09-90b5-ed379fed1136

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168642/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.19648.2245.23854.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eacd6134-e1ba-42a9-afa8-5531604b34d4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809047
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441458 Sample: sh5SJeEGPS.exe Startdate: 29/06/2021 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 7 sh5SJeEGPS.exe 21 7 2->7         started        process3 dnsIp4 35 kakosidobrosam.gq 104.21.67.197, 443, 49730 CLOUDFLARENETUS United States 7->35 33 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->33 dropped 51 Adds a directory exclusion to Windows Defender 7->51 53 Hides threads from debuggers 7->53 12 sh5SJeEGPS.exe 14 7->12         started        16 WerFault.exe 7->16         started        19 cmd.exe 1 7->19         started        21 3 other processes 7->21 file5 signatures6 process7 dnsIp8 37 185.215.113.35, 23276, 49748, 49762 WHOLESALECONNECTIONSNL Portugal 12->37 39 api.ip.sb 12->39 41 192.168.2.1 unknown unknown 12->41 55 Tries to harvest and steal browser information (history, passwords, etc) 12->55 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->31 dropped 57 Tries to evade analysis by execution special instruction which cause usermode exception 16->57 23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started        27 AdvancedRun.exe 21->27         started        29 conhost.exe 21->29         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/356726b20529e961530d6f9045365a126afccf42db8b47dbffb3aa222e55f78d/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 18:42:12 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gvtsnmqffhuwcuynn6iekns2cjvpzt2c3ofupw77wovcelsv66gq._file
Verdict:
malicious
Similar samples:
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
RedLineStealer
63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6
RedLineStealer
8b80872d81924c99b79ae840ae227d46dc0010b368cea1e54074dd46890074bd
RedLineStealer
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
RedLineStealer
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
RedLineStealer
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
RedLineStealer
bb21c783c0ab2672f80d2cafee36a7108fa588ef17896be3f374c0c351a89dbc
RedLineStealer
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
RedLineStealer
ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c
RedLineStealer
d89c68b81a492812f334c6485f8867419efb302da480f13d56ce1e9801c20096
RedLineStealer
+ 508 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mtv discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210628-dshk1vqvpe/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
185.215.113.35:23276
Unpacked files
SH256 hash:
356726b20529e961530d6f9045365a126afccf42db8b47dbffb3aa222e55f78d
MD5 hash:
65c52651f68f8e165607ececcb5984ad
SHA1 hash:
f9d9cf41fceff297b6d4fff3fa5ab61be40e3591
Link:
https://www.unpac.me/results/fc84f000-a3d3-41f6-8163-f6853dc41eec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/356726b20529e961530d6f9045365a126afccf42db8b47dbffb3aa222e55f78d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168642/

Comments