MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45c3f3af9f9d0c905dcb43df313ecf62364fa7cbab78236a3c049700556b1d63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45c3f3af9f9d0c905dcb43df313ecf62364fa7cbab78236a3c049700556b1d63
SHA3-384 hash: 393008555386ef7816b698bbfe12733f7f71ecdb9af3bd67ff86bffb3ede725eb586bbd2a67eb8bba987599c29f430b3
SHA1 hash: da0f490f21bda3d8c0fc0743981f5e4420a7bdc9
MD5 hash: 1a2b2090b89823316ac5cb2f242a0213
humanhash: fillet-oscar-mobile-violet
File name:1a2b2090b89823316ac5cb2f242a0213.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:249'584 bytes
First seen:2020-12-09 10:32:15 UTC
Last seen:2020-12-09 13:02:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 3072:ovbkUV46AGiUT6kkIX8u4MzqYMsKcMrNqGRXt9+RAD+:CkUfAGnsIX8LMuYZrMrsqXHX+
Threatray 250 similar samples on MalwareBazaar
TLSH 10349C92E3455F22DC5D0F33B1A60ED1EA71EC7F6602960A6C9673CB0E7328119D1F6A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://5.34.179.132:12443/IRemotePanel

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://hellousa.info/filestoload/cli/remeus.exe
Verdict:
Malicious activity
Analysis date:
2020-12-09 14:54:31 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/184f7785-f3d3-455b-9b15-d65b058a1347

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107424/
Detection(s):
SecuriteInfo.com.Variant.Bullseye.1.3028.7404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558858
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45c3f3af9f9d0c905dcb43df313ecf62364fa7cbab78236a3c049700556b1d63/
Threat name:
ByteCode-MSIL.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-12-09 00:44:45 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ixb7hl47tugjaxolipptcpwpmi3e7j6lvn4cg2r4aslqavlldvrq._file
Verdict:
unknown
Similar samples:
20b8b1c1b7aa1a707819434f2ce27db4d8d2b613da99b491f94ad44db1d241e0
RedLineStealer
2224e77a950a10ddf527d06e3083641ef929afcf2eb7d195f749f404a511f4c2
RedLineStealer
2d5d3ed366994f5e1fc9ca69d7a5bafb242ee071c1ad021b6d255f2f09b0e269
RedLineStealer
2dc5c0066540aaeb6212c84a4c8e9e8655f943da800b35486587e9b1a4458b08
RedLineStealer
50c00ba4f97272838fbad92ea5f192ca154da696fb0691b1b730c025c930776f
RedLineStealer
8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a
RedLineStealer
a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
RedLineStealer
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
RedLineStealer
d740674533d5c0fb220dceec7eb0d440a1f01231a728030b355361b9f0aeff77
RedLineStealer
f1f02609df5674a0ad67ce6d2bd2f07dd7616eb2995b07f31ae431a956036ae9
RedLineStealer
+ 240 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201209-rhvv2j9zlj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
45c3f3af9f9d0c905dcb43df313ecf62364fa7cbab78236a3c049700556b1d63
MD5 hash:
1a2b2090b89823316ac5cb2f242a0213
SHA1 hash:
da0f490f21bda3d8c0fc0743981f5e4420a7bdc9
Link:
https://www.unpac.me/results/fe5290d8-e99f-41a4-8b67-07fd53d6f3c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bullseye
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/45c3f3af9f9d0c905dcb43df313ecf62364fa7cbab78236a3c049700556b1d63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 45c3f3af9f9d0c905dcb43df313ecf62364fa7cbab78236a3c049700556b1d63

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/896394/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107424/

Comments