MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aca76d7bdd23aa701fffa2994e4b9438439056ad0317b78f6c7251b3fb9f2c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aca76d7bdd23aa701fffa2994e4b9438439056ad0317b78f6c7251b3fb9f2c5
SHA3-384 hash: 667b7b6a7f1d1fe759d51054221cd71bc0775faa30d01b7a42a781638d264c8bc85210b531348f9b7b619e7d3a7fe855
SHA1 hash: 275ec6d2f24e7c2eefdb046481d9db07f3d9397e
MD5 hash: 674e32f55ee780fa54fc9658c33834da
humanhash: oklahoma-oregon-december-sad
File name:674e32f55ee780fa54fc9658c33834da.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:805'336 bytes
First seen:2021-05-04 00:40:41 UTC
Last seen:2021-05-04 01:00:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GSC6RieX93OcR4qz8DyMyoMlflQrhbEYwPJWI57YBb7ZBzzDPfytpMXY4bgvFYRI:vr5Wz3dXYfmPdFrTBY
Threatray 85 similar samples on MalwareBazaar
TLSH F8055B209E84EF79C1AD7B77922F451603F1A0E24331D70D7E9FE6F52C5292B2A4A721
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.181.152.183:31019

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.181.152.183:31019 https://threatfox.abuse.ch/ioc/28526/

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://raw.githubusercontent.com/adgikaaa/443/main/DogeTab.zip
Verdict:
Malicious activity
Analysis date:
2021-05-03 14:44:41 UTC
Tags:
teamviewer tvrat rat trojan evasion loader
Link:
https://app.any.run/tasks/5043c9f6-6ba4-4a26-8100-75a264a2ef64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/149544/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.688-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/708777
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3aca76d7bdd23aa701fffa2994e4b9438439056ad0317b78f6c7251b3fb9f2c5/
Threat name:
ByteCode-MSIL.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-01 01:34:00 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlfhnv552i5koap77iuzjzfziocdsblk2ayxw6hwy4srwp5z6lcq._file
Verdict:
malicious
Similar samples:
2872f74fbf7bd3e63d2dec6c9f1521bce6b38a6718ea67d123a21908634c45ef
RedLineStealer
38dcfe4f6c31cd0e5c90fc55a2413e3c25342c89b90c42b54cb2a2fe8c9a1c77
RedLineStealer
39e51d5d0ed297f10acac6eaac6e199ebec75e8594359bfe2cce30beb6082a34
RedLineStealer
78a7bb5274701b31057cc19436db010761a8b35d47fd1b9d23dc714b932b6009
RedLineStealer
9658197c370e5eb1ab5d88687883b342f5b2accda492657e9cb3ca9412ac06ac
RedLineStealer
a8329629c80d525e329535dd082ead92132588a0663903c55bf30e24af451efe
RedLineStealer
ae48a7ceeddca46f00d29453abe2cb1d4f7adbe4845688b9e2f911f0d7771b92
RedLineStealer
b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5
RedLineStealer
b5088e71620e86cf712292d9e7a29320f26c58b711217722ed9a500484ceea52
RedLineStealer
e91b7721a20288556df05eff5b56bbd6de22242c003816d4a4dbe5d8e56c9d7d
RedLineStealer
+ 75 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pidr discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210504-2ja1bhwqhs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.181.152.183:31019
Unpacked files
SH256 hash:
11cf5a51e593c007ff4f91294cf505ffd5e425e56387c60d81e6479cc284cc3b
MD5 hash:
73cc3f7e7700e6a54cb5f291dffe5aa1
SHA1 hash:
09174f9fa55c9bac0540efb7a8c682878a32d02d
Link:
https://www.unpac.me/results/c28d5126-8feb-4ce0-9629-f0601ccfa9df/
SH256 hash:
3aca76d7bdd23aa701fffa2994e4b9438439056ad0317b78f6c7251b3fb9f2c5
MD5 hash:
674e32f55ee780fa54fc9658c33834da
SHA1 hash:
275ec6d2f24e7c2eefdb046481d9db07f3d9397e
Link:
https://www.unpac.me/results/c28d5126-8feb-4ce0-9629-f0601ccfa9df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/3aca76d7bdd23aa701fffa2994e4b9438439056ad0317b78f6c7251b3fb9f2c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149544/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 00:59:38 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing