MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37d2577e213a70576f2c33b0a22562a4044fd7a8ec07f295148e39e0b7cdb83a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 11 File information Comments

SHA256 hash:	37d2577e213a70576f2c33b0a22562a4044fd7a8ec07f295148e39e0b7cdb83a
SHA3-384 hash:	cad703ea8af34fdfc1c091dd227d539395e8af0fa0c2c0934fd336258e3ec8dbde161ed72bf41506bdb6e60d6049960d
SHA1 hash:	b76b41a22d2a486a485d2110fb6d0401de753798
MD5 hash:	e34e907b0f1d87d970d6eb356b7547f4
humanhash:	virginia-maine-red-robin
File name:	E34E907B0F1D87D970D6EB356B7547F4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'187'648 bytes
First seen:	2021-06-16 12:00:30 UTC
Last seen:	2021-06-16 12:56:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	49152:75aj+4vOY+3HuHdB/z3mN77pw/OcCVDhN28p+Ewfke3J6I8he:7X4vOYnHfrmxl2OdnpakCJ6If
Threatray	10 similar samples on MalwareBazaar
TLSH	CDA533C00AD6325BF8D60E767178CB13473A8FAC56A4E8EA07353C991FF7B51352942A
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
188.119.113.198:52233

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
188.119.113.198:52233	https://threatfox.abuse.ch/ioc/117137/

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

E34E907B0F1D87D970D6EB356B7547F4.exe

Verdict:

Malicious activity

Analysis date:

2021-06-16 12:02:18 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/584d2658-d866-45c8-b327-6f0cf05f2bcd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a window

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d904dae3-a2fc-42df-a19a-b8bf3f077dd3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/802988

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/37d2577e213a70576f2c33b0a22562a4044fd7a8ec07f295148e39e0b7cdb83a/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-13 17:07:34 UTC

AV detection:

12 of 29 (41.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g7jfo7rbhjyfo3zmgoykejlcuqce7v5i5qd7ffiury46bn6nxa5a._file

Verdict:

suspicious

RedLineStealer

34e142c3ca75844c48639cfc8f60513d23c02a65addef3bce69f5b49b34277a1

RedLineStealer

5b5eab7a12fdfc6cc39e39193b7a9020ee46e72acac70033236ef9b6b2da32c7

RedLineStealer

5ef8714caf9c7296847b67b27edb93c3aec23d7e77b57d23d0e8607d707a2c49

RedLineStealer

5fc42d8d65da12afe624f5b959b3318a808fe18640d497fa5ed7530748e7935a

RedLineStealer

6c90f16a6932be921cbb44b9e4531cf36e5ded6d5dd0016c4309a56ab8a96461

RedLineStealer

8499aa17997bfbe03592e33e82df1c674f1b57ba3d372355e690b9468ea6fea2

RedLineStealer

85d879be258470ed22d55bb6fda8be5d0b7d480c23d95b252516e85ccad2fec4

RedLineStealer

9bf25f26d20ce89c9a218af61f322f35c79454848f61ad7d72f04ea2c6f33825

RedLineStealer

9dfc0d127c1129cd943b1c6ea494a01b40b6b29656db9a44f3dc3231db127a0e

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210616-ltjmpsgqdj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Unpacked files

SH256 hash:

37d2577e213a70576f2c33b0a22562a4044fd7a8ec07f295148e39e0b7cdb83a

MD5 hash:

e34e907b0f1d87d970d6eb356b7547f4

SHA1 hash:

b76b41a22d2a486a485d2110fb6d0401de753798

Link:

https://www.unpac.me/results/0d2d3b28-c54e-4cef-a688-6fb118220199/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/37d2577e213a70576f2c33b0a22562a4044fd7a8ec07f295148e39e0b7cdb83a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample