MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5273e1a49241f0d712f9eda40183beddfa6c31fd260a59b25bffcd8c0a22158c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5273e1a49241f0d712f9eda40183beddfa6c31fd260a59b25bffcd8c0a22158c
SHA3-384 hash: 272849ae462bc4ff510d6b268da1fc6fab39f5ab58a1cda1d108334fc64d37b6afea6b9c686300d714258c5ee39ecc5f
SHA1 hash: 488d4bb19da2850be564f9aafa324448d06344d7
MD5 hash: 511abbe3413d879eff2006e32f250ecf
humanhash: mockingbird-fifteen-nitrogen-glucose
File name:Pallet Mould MMS Request Order-061522.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:509'952 bytes
First seen:2022-06-15 06:17:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:7EV5LZuJBOnuKI4hY9jf6Xq2nc0rDccec3cyg:qZu3Op69jf6nncifecx
Threatray 1'600 similar samples on MalwareBazaar
TLSH T1ACB4D06023BC4319D17AEBFEF031542407F97627312AF3AD4B5578DA2AD27828533A67
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
103.153.79.195:24688

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.153.79.195:24688 https://threatfox.abuse.ch/ioc/705716/

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Pallet Mould MMS Request Order-061522.exe
Verdict:
Malicious activity
Analysis date:
2022-06-15 06:26:44 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/5d678d02-bde6-4226-b36e-4f5115e88de9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/280043/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.9396.31532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a9799c5aca718dcaf55cae/reports/49fa7c34-f54f-419a-bf4e-bc90d87d1264/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f33078f0-3691-4d10-a08e-82499445d949
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013453
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 645945 Sample: Pallet Mould MMS Request Or... Startdate: 15/06/2022 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 15 other signatures 2->45 7 Pallet Mould MMS Request Order-061522.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\...\jPbGWtKUZNf.exe, PE32 7->27 dropped 29 C:\Users\...\jPbGWtKUZNf.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp6CE8.tmp, XML 7->31 dropped 33 Pallet Mould MMS R...rder-061522.exe.log, ASCII 7->33 dropped 47 Adds a directory exclusion to Windows Defender 7->47 49 Injects a PE file into a foreign processes 7->49 11 Pallet Mould MMS Request Order-061522.exe 15 31 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        19 Pallet Mould MMS Request Order-061522.exe 7->19         started        signatures5 process6 dnsIp7 35 api.ip.sb 11->35 37 103.153.79.195, 24688, 49750, 49757 TWIDC-AS-APTWIDCLimitedHK unknown 11->37 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Tries to steal Crypto Currency Wallets 11->53 21 conhost.exe 11->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5273e1a49241f0d712f9eda40183beddfa6c31fd260a59b25bffcd8c0a22158c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-15 00:57:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjz6djesihynoexz5wsada563x5gymp5eyfftms377gyycrccwga._file
Verdict:
malicious
Similar samples:
262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09
RedLineStealer
2aea00a617849d6481827a5215ba64c3423bd2121e7ad35926807e79ac53594e
RedLineStealer
65c3708767175b438a938b8d5d4ae52a1d0cf450a38a4298a41ae9bd73816686
RedLineStealer
7df2d256518cec4656c0ab236d2b26e2d7976382ab75eb0326b5b8c463a6821d
RedLineStealer
9a95de1cbc2bc1bbb8b87c0ea935b9c6675ce2a712465a40cbb2f4dfb85d711f
RedLineStealer
9e3934740535ec45aaa1d9f7a47cafc668d4f9e8ab2b688515a0a540785e7087
RedLineStealer
b8e39ad2627acb33afc0af7f1534f5a48bb49b4aeb46e2ed15f102bb065e62b4
RedLineStealer
ebcf3aeae13aefe1081740f50900a39816f4d8cc4b6699365001b79fdd69d22b
RedLineStealer
ec6260e2fa3a7b5c332df32c1c44b13533a481d04add67596e632dc8898464c2
RedLineStealer
ff073d05223a456c06707ad4be71853e996524b5a5b8b118a977feb6bce9992c
RedLineStealer
+ 1'590 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:firstfile discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220615-g2l7gsdaf5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
103.153.79.195:24688
Unpacked files
SH256 hash:
5e95b92999dc337f367d2c8e91e68daadbcdfc537d2d11fa2612ce68a58e8d04
MD5 hash:
e3df2dd40f0ce5dcd593a52653983ca4
SHA1 hash:
d7d895a35867dc41c8a03ab5ec3aa4e38e1a08a3
Link:
https://www.unpac.me/results/2f914f78-7dda-46a2-8a7c-6816f4f17674/
SH256 hash:
a88f3036b04a091890717f20625e06ecea0ed3f39d927d130ff926673eef655b
MD5 hash:
e108df8e9984413636396f443d28ef70
SHA1 hash:
bdf3e51ca53d961a3ec6cea148ea707a9492cbb5
Link:
https://www.unpac.me/results/2f914f78-7dda-46a2-8a7c-6816f4f17674/
SH256 hash:
1699f740bdcdb3778ca69d53dc9c5fa58edfe1a610cbaa935c40ac73f0c0bad2
MD5 hash:
c50bf647703bcc0dff7ac82bec360565
SHA1 hash:
50ed555e1b6db733c1536931958c33e77c5817d6
Link:
https://www.unpac.me/results/2f914f78-7dda-46a2-8a7c-6816f4f17674/
SH256 hash:
5c6f0374f2c3478ac6e7c8629caf19be1dcfc18b7fae8b41c5cdcc962b30a011
MD5 hash:
933540a953da3d0072a00a86e8d07fc9
SHA1 hash:
13f2b76177c17501486fad10a2ec1563b25b05c8
Link:
https://www.unpac.me/results/2f914f78-7dda-46a2-8a7c-6816f4f17674/
SH256 hash:
5273e1a49241f0d712f9eda40183beddfa6c31fd260a59b25bffcd8c0a22158c
MD5 hash:
511abbe3413d879eff2006e32f250ecf
SHA1 hash:
488d4bb19da2850be564f9aafa324448d06344d7
Link:
https://www.unpac.me/results/2f914f78-7dda-46a2-8a7c-6816f4f17674/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5273e1a49241/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5273e1a49241f0d712f9eda40183beddfa6c31fd260a59b25bffcd8c0a22158c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280043/

Comments