MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 473fe6b6035aa5b2b061b617b74a6bebec1ed246a2dcaaf66144c22be24776f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 473fe6b6035aa5b2b061b617b74a6bebec1ed246a2dcaaf66144c22be24776f1
SHA3-384 hash: f38343ee08d14189cc0d6e2e1901f3bd2fff9f699b95729e88f3bee654b2975e13072518b7a67a2a05f85fc67a72e253
SHA1 hash: e15842a39025a5ca4f21e80375eaf7bf7e47f6cd
MD5 hash: 6ea066d632ded384c4edc564f749d221
humanhash: iowa-august-fillet-video
File name:ANTIBAN.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:589'824 bytes
First seen:2022-03-02 12:10:10 UTC
Last seen:2022-03-02 14:00:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:ZJp8IHTitUgWOFw5/QS03ULaHNqrxlKIQNobKrRkNZotXvRUXXe:bp8IHTdgBFwNkEaHNYK3jkNe+He
Threatray 1'476 similar samples on MalwareBazaar
TLSH T17DC423E7B3895F80CD0E72F83486961269669BF5E1C0347FB23A46070E600B3EE559BD
Reporter CholeVallabh
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246290/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/621f5ed8b94fb38cb438348a/reports/e46b9b40-26f9-4d66-bd0f-90062ef3dc9a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47b2bd99-8baa-4128-be1f-11e9e864cb2a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949086
Signature
Allocates memory in foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/473fe6b6035aa5b2b061b617b74a6bebec1ed246a2dcaaf66144c22be24776f1/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 12:11:08 UTC
File Type:
PE (Exe)
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i476nnqdlks3fmdbwyl3ostl5pwb5usgulokv5tbitbcxysho3yq._file
Verdict:
malicious
Similar samples:
186fc934615882160b40fa9cd6b082cd097526f9ac85b39bb9bb34688a036d0b
RedLineStealer
302ad40d44d3d35aa760a0628e6e4c1205053a343a09da085c818587c8397edc
RedLineStealer
5b54867f600777e8cec30c3386a3d42f08da4e1a3a4e636f135e25e2d9850603
RedLineStealer
63680cb50ca4c6ec5837dbc45a9a58f9b27fd33fb47e37e4e848225d0d0a1f2f
RedLineStealer
65754345d292205db7518a9c547072b325fe3be3fc322fd6e0f7cd523f00ec6b
RedLineStealer
92ccbbead3ca1c2a221c3dd06da16bb15fe6aef02859087c09c7d248017d955d
RedLineStealer
9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed
RedLineStealer
ae92d01c510158dba98ea9b8b5dabf08fd5ab9bb8da6f9175fe455198ea2e1da
RedLineStealer
e59a89138d5d7d96b4336b9323be581e35b3056180cc4fcf2844027534d5c189
RedLineStealer
+ 1'466 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220302-pclhnaegg4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
fb2327696aa909b4ce170922760f18849a81f193d4b81f5d19d56adb4178c73b
MD5 hash:
b412361343e1cbd42817ca0ce488658b
SHA1 hash:
4c8b9b249d4d7e15dd1b78c026808a46a30e59ff
Link:
https://www.unpac.me/results/5f8ff130-d8c3-4c0d-acaa-697b67278be7/
SH256 hash:
44e930b02824bea8f43e19ffe45018253458c2eba94aee8b0fe3364be6a09e7c
MD5 hash:
2bfa667c314b34cc365a1fd7248a2a7d
SHA1 hash:
8bf725ce221871612a48d22fd1795cb0ab3e638a
Link:
https://www.unpac.me/results/5f8ff130-d8c3-4c0d-acaa-697b67278be7/
SH256 hash:
473fe6b6035aa5b2b061b617b74a6bebec1ed246a2dcaaf66144c22be24776f1
MD5 hash:
6ea066d632ded384c4edc564f749d221
SHA1 hash:
e15842a39025a5ca4f21e80375eaf7bf7e47f6cd
Link:
https://www.unpac.me/results/5f8ff130-d8c3-4c0d-acaa-697b67278be7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/473fe6b6035a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/473fe6b6035aa5b2b061b617b74a6bebec1ed246a2dcaaf66144c22be24776f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/246290/

Comments