MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46c59be9b6911501ee27c26f2847c35adf3f26b9509693cea629c14bce2277e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46c59be9b6911501ee27c26f2847c35adf3f26b9509693cea629c14bce2277e6
SHA3-384 hash: c73fad0ae7ba65fc942531b34d639685ba9c434b0c20663385ccd6dc1b6c73e8b7193027866bfa001e6353f29ec2b8c7
SHA1 hash: 07a217316884e423843c294551a2bd5aa547dc25
MD5 hash: fbe2cd7ca7135714d866c878a06d42b1
humanhash: seven-montana-two-leopard
File name:fbe2cd7ca7135714d866c878a06d42b1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:20'480 bytes
First seen:2020-12-11 07:15:51 UTC
Last seen:2020-12-11 08:52:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:p2DMOvMyOCHHmQ6TScGc94WP2WwQhYNGGUXY2+:0DMOviCHH36TSD/WOJQTdW
TLSH 3E921A22F7F89732E6FA4BB085BD41405D72F5112903EB5FA9C8024B4723B965F5239B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://108.62.12.15:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fbe2cd7ca7135714d866c878a06d42b1.exe
Verdict:
Malicious activity
Analysis date:
2020-12-11 07:19:42 UTC
Tags:
rat redline trojan evasion loader
Link:
https://app.any.run/tasks/9858c955-8a8f-44a4-9c62-e4233770017b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107712/
Detection(s):
SecuriteInfo.com.Variant.Spider.1.8930.23224.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Sending a custom TCP request
Launching a process
Creating a file
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a process from a recently created file
Searching for the window
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/561614
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46c59be9b6911501ee27c26f2847c35adf3f26b9509693cea629c14bce2277e6/
Threat name:
ByteCode-MSIL.Trojan.Spider
Create hunting rule
Status:
Malicious
First seen:
2020-12-11 07:16:07 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3czx2nwsekqd3rhyjxsqr6dllpt6jvzkcljhtvgfhauxtrco7ta._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201211-yt8q6vmpx6/
Behaviour
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
46c59be9b6911501ee27c26f2847c35adf3f26b9509693cea629c14bce2277e6
MD5 hash:
fbe2cd7ca7135714d866c878a06d42b1
SHA1 hash:
07a217316884e423843c294551a2bd5aa547dc25
Link:
https://www.unpac.me/results/6ece348a-cae3-4fc0-b8ff-8c4847cecb4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/46c59be9b6911501ee27c26f2847c35adf3f26b9509693cea629c14bce2277e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 46c59be9b6911501ee27c26f2847c35adf3f26b9509693cea629c14bce2277e6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/906467/
  
URLhaus
https://urlhaus.abuse.ch/url/896517/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107712/

Comments