MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb
SHA3-384 hash: 23cb6c16c9c5aa001283d2ed661fbc9d789275cbc3b60d848cde0c13c04ef57ad67fcc4480865bb2277a0855f029eb3f
SHA1 hash: f6f24e1b571a0089c05d5a1e00116742f9e98a93
MD5 hash: 7e39e9345427ccc8be9a0137cef89742
humanhash: network-venus-fish-robert
File name:PGMBQUOTE677100923344PDF.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:897'024 bytes
First seen:2021-07-08 17:36:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:WgD9eZ8DvlbUUp0qAMlyveojV0uGO27fY6WntFmPkTJCkoqDwlcbgQtRJd98f+se:WoeZUdUw2d8w6MXmPkckddH
Threatray 635 similar samples on MalwareBazaar
TLSH T1CE155C693140B59FD723C87289998C20F57874FF6337C94B2283265DA54E703AE963BE
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
212.192.241.89:7225

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.192.241.89:7225 https://threatfox.abuse.ch/ioc/158709/

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PGMBQUOTE677100923344PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 17:39:48 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/df86d501-128e-4638-8cd3-7fe7420c355e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170528/
Detection(s):
SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.253.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/528660c6-603f-4404-9b6e-b7fbf9ba33ec
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813656
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 17:37:09 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imeh5kkjbp53yeqw3du253haptybex6yx66k7d7xe3etvxd32tvq._file
Verdict:
malicious
Similar samples:
015409fbfd267cc10311ec0949998773921d2eff96524a98219945e5de391ed7
RedLineStealer
2e641d4ca1ec2d70e05dcfea340e14375c20cc66dcb964c003a43a71ae8ea911
RedLineStealer
2ff7ffce923329f55bc637371e54822d6ceee9962c807ccc42e3301e0a8a2cae
RedLineStealer
5b70671ab8aa3c1ffa49c6848dc3f90a75d570b73b3ab74ae0ae053a71235e26
RedLineStealer
6c529300665e2cfd74a5375533e6b7e9c4cf4eda074c1578683d0094edb6ef94
RedLineStealer
7ae4b1290aa4d0f4f7985604c7ab31f82ee88f15e1a94042723ecc45f141da46
RedLineStealer
987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8829d6d537660b7f2826
RedLineStealer
a5a1d72b8d7045cf92e3fc39b72cf251a015464f1f7920aa028b341d3f646ee8
RedLineStealer
c88aa7ed56d611114cd6e9376e42a608103f371d5ceeb82c1c0253cb7d1d7151
RedLineStealer
d22d7ec3a9db9edb88cd373986a8aee46fc90bcb1339b147880301351d5ee522
RedLineStealer
+ 625 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210708-73eye6y3zj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
newlife957.duckdns.org:7225
Unpacked files
SH256 hash:
89f8945fcd97b163f0f4d4fc7951e630c2ad7046ef2de3162740704f88d35efa
MD5 hash:
3c08ac9efced6b1703bfd87edb1ef985
SHA1 hash:
ca2364dc56f70f176bf9174f9cb05644af315645
Link:
https://www.unpac.me/results/9de8748f-defc-4f99-9642-87c0602be89c/
SH256 hash:
95ed28b8e00d2c6f545f0176ed56c6348e3395a2afdb21432b387d53e37e937b
MD5 hash:
541cfb6e267388f9eb45ebdf6d440739
SHA1 hash:
80559753cdd637646472383c2f8e3e136803f506
Link:
https://www.unpac.me/results/9de8748f-defc-4f99-9642-87c0602be89c/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/9de8748f-defc-4f99-9642-87c0602be89c/
SH256 hash:
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb
MD5 hash:
7e39e9345427ccc8be9a0137cef89742
SHA1 hash:
f6f24e1b571a0089c05d5a1e00116742f9e98a93
Link:
https://www.unpac.me/results/9de8748f-defc-4f99-9642-87c0602be89c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170528/

Comments