MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53dc7f330bc5df4e3443064b653a94435af34f0f0de5949142efcc86cf6cd5ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53dc7f330bc5df4e3443064b653a94435af34f0f0de5949142efcc86cf6cd5ca
SHA3-384 hash: 82dfb92f0f33607a5a803446119a67eb496f2c7618f8345f9f59f6f65ef752c5e147ebb7aa56c2bafa5adefdf17d6059
SHA1 hash: 0879b7bae608270e5a8d1e745173ddbc61c6268e
MD5 hash: f4130da97980d97dda8c1917ec49d04c
humanhash: nineteen-potato-alpha-hawaii
File name:f4130da97980d97dda8c1917ec49d04c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'050'624 bytes
First seen:2022-01-17 19:32:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:evz8vawzJo1M/VBWQl7duYlULWWr1U85B2Ad7fpy+W0msO6QPmIU1Wt3:ILwhVb7/eLl1UMl9fUfmGt3
Threatray 125 similar samples on MalwareBazaar
TLSH T1E0252BDD51D14849CFEF07F00DFBE22E857296C613474BEA732E95F0AB2208EA56D4A1
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f4130da97980d97dda8c1917ec49d04c
Verdict:
Malicious activity
Analysis date:
2022-01-17 19:34:38 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/28006af8-c6b3-478e-8980-763f2fa66957

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219910/
Detection(s):
SecuriteInfo.com.AgentTesla-FDCVF4130DA97980.30939.5275.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61e5c4800f8c757253c5997e/reports/aab9b6e0-509d-495f-933a-429621a90dad/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d98eb787-9e51-4ca2-a8f9-d236de30cf35
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922005
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53dc7f330bc5df4e3443064b653a94435af34f0f0de5949142efcc86cf6cd5ca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 19:33:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpoh6mylyxpu4ncdazfwkouuinnpgtypbxszjekc57gint3m2xfa._file
Verdict:
malicious
Similar samples:
06de7a6020311d1148c053a1b4d620a556e4ec46c670b44f1f280b4fbd68dfd2
RedLineStealer
1237f60be32fedd4729cc33b077a902382c15c495327cfa55650ca66642506d1
RedLineStealer
2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
RedLineStealer
48176fd5dc0e6fdc6c0319189f298bbd1eec3059b8fe2c58c5d2b18cb9cae756
RedLineStealer
492ee4f4523bbce520cee6d63b3175a720ba7f7f5d6a8adddfff58d0ac909fe9
RedLineStealer
7747f0397ef330b53d0bd68dfe9ed416a935851760657b7df0ed93a7a8a5692c
RedLineStealer
9e5cd479d6afee5a8242493784ea0c942af9ff87c0c76ce91595a8c8bbf9c4b9
RedLineStealer
d65fdc8389357ba633919c9a52c6d6ae0568343676be45e33652ad41d665e935
RedLineStealer
f34d8e5c8fc519f00e241aec9993902b15fb6947c92fc1acd40bb18cf4261bba
RedLineStealer
+ 115 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220117-x9jdkacebq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
a1f348945401a212e9b05b869fb4f0c1f8ddb29569705a15d9a8907fba72e651
MD5 hash:
3dda29b41ca7018d0bcc603cb3181dd5
SHA1 hash:
fc00ecc4041176d8ded23b547460d6a56c0599d5
Link:
https://www.unpac.me/results/8f1a858b-bd8d-4f48-a618-27459a645df0/
SH256 hash:
53dc7f330bc5df4e3443064b653a94435af34f0f0de5949142efcc86cf6cd5ca
MD5 hash:
f4130da97980d97dda8c1917ec49d04c
SHA1 hash:
0879b7bae608270e5a8d1e745173ddbc61c6268e
Link:
https://www.unpac.me/results/8f1a858b-bd8d-4f48-a618-27459a645df0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53dc7f330bc5df4e3443064b653a94435af34f0f0de5949142efcc86cf6cd5ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 53dc7f330bc5df4e3443064b653a94435af34f0f0de5949142efcc86cf6cd5ca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1984356/
Cape
Cape
https://www.capesandbox.com/analysis/219910/

Comments


Avatar
zbet commented on 2022-01-17 19:32:55 UTC

url : hxxp://data-host-coin-8.com/files/9833_1642430208_7948.exe