MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd
SHA3-384 hash:	3ba33f63b58b7888f0de63e5ee116efdc854e23ebf26986a28e127490e0623dc1dd4f2b329636e7e543ddf160ff2836f
SHA1 hash:	2e48e08c75486a10eb463ee34826c9a2fc207e96
MD5 hash:	f38d9b74c3608660961b92448d249323
humanhash:	wyoming-burger-beer-nuts
File name:	f38d9b74c3608660961b92448d249323.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'393'800 bytes
First seen:	2020-07-08 10:10:48 UTC
Last seen:	2020-07-08 11:14:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:UuvRqc+NOsEhOGhPZhla3AUVNgLRcslhtWVN3jhoxUy9slhtWWJMI:U4OGhPZX4IRRhtWyV4htWcMI
Threatray	130 similar samples on MalwareBazaar
TLSH	D455CF337682EB7BE6806F7251AFA2381B628DD3F22567DF3A5C392D25F23310905654
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://llilalad.club/IRemotePanel

Intelligence

File Origin

# of uploads :

2

# of downloads :

90

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23046/

Detection(s):

SecuriteInfo.com.Generic.HEUR.QVM03.0.6D0F.Malware.Gen.11357.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

DNS request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Connection attempt to an infection source

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-07-08 10:12:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h3tje54uigz2cruz5xaptljgtrmcqhkxgxcxbkkgr4dxooo3e3oq._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

3690d387e841f98e0a92a700196961b11b717b0f543e601d7e0f6c848cc77bbf

692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8

8a6b671ef4fc65efa1bd306da35f4bf2a18814d1ecf0f868ff2f27177fb37809

cfac75f3ee6ba6f7816e73908f679a7c185b12044580c1f6b0cbf41dfe74b0f7

d0e642197915ade19fb4c2df299063e49ed7f650e4b3b6ee90d4f0d626b900c3

dbbc9e640af23658de56eba2f5ec2152de38fa35f11343f0d2216b8b5d7967a8

e8406edde4743eec38d88fd58f2c79b11d09d76bcd57b757cdf5844ea5bd55e7

ed1a371e8918f6f1dde9fad1e3edb2c984ea3704217e2bca5b2489b61d1bc56e

ee5330d0a01cd004994c5798a3c0c09b160b560e6cdb3f2509b9af2431a0a8fd

f208226c60c95ee10f879f0f38ad9bf85a30fa411d6d20893e9ddaea5a0daf20

+ 120 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

evasion spyware trojan discovery infostealer family:redline

Link:

https://tria.ge/reports/200708-7t7fr84b4e/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Modifies system certificate store

Checks for installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

RedLine

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/407605/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/23046/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample