MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5633314db4cd680796bc5071bd9a8d0ded1c43e4d4178c431fe5882646816b89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5633314db4cd680796bc5071bd9a8d0ded1c43e4d4178c431fe5882646816b89
SHA3-384 hash: f852172e6d0eabcc20d7764c96e9f1ebb12cba45ba9b6177af682fba465161ede116a5bf1c7e4b0edc3f3341c3c206ad
SHA1 hash: e0a24a795e502e16b2fedc178a22a9c41e6edbe1
MD5 hash: 72b765579f21b2411f0d32b53fed6404
humanhash: avocado-paris-harry-kilo
File name:DOCU_SIGN09986902077540087PDF.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:823'808 bytes
First seen:2021-08-12 13:50:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:fD7/HK7zFspQf6KsarTy6z62XNHTndlOUB/oofw5pEVi6pjSiyyjK:ixspqsCTyf2dHTnbvhoo4d4jd8
Threatray 1'139 similar samples on MalwareBazaar
TLSH T13805C0423285DC9AE4172EF2186FD46011B9BD8F8625CA0E3F837E3B55E77022467B5E
dhash icon f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter Anonymous
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.56.59.235:7188 https://threatfox.abuse.ch/ioc/175243/

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOCU_SIGN09986902077540087PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-08-12 14:07:05 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/38bef75b-5d0a-45dd-b4bb-c3bc070ac2da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178749/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.993-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed605ad7-3100-45d0-a6f6-d00ce7c1aa95
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831859
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5633314db4cd680796bc5071bd9a8d0ded1c43e4d4178c431fe5882646816b89/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 06:42:53 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kyztctnuzvuapfv4kby33gunbxwryq7e2qlyyqy74wecmrubnoeq._file
Verdict:
malicious
Similar samples:
172b6209ca78d8006297f41fded71268689f8b9be88513673af4420c12176c75
RedLineStealer
1d169f4e5102f1c9a69a09a5a1756b3360ab3d592196bcd62c922a99bc50d3b0
RedLineStealer
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
RedLineStealer
574e22b44f2b1a0af1e8344a2e674d62c246287fa41c9ee3725120bc329a8a89
RedLineStealer
57c362ce666df098b6f501828fad20d1b4ff36398634ca4153de9dc43ff1fb9c
RedLineStealer
76aeea722182d2097b74fbe3bc9be747d718ea80967d1afb7c011af2d6981485
RedLineStealer
8cbafd04f32cc48843fcac1913ae731b04e990a44d789a74b0ef50785874d5aa
RedLineStealer
c415d4f2eccd8fbbcaacfb5afb4bf208115bf2ec5acb97bd436779f21d39a0e1
RedLineStealer
e5b091808b73fbf1b94a24bb98d8ac945012ec6b69f0979371af225ecdb804df
RedLineStealer
ee634bdc72e1a5b57eb1f7d42e5d0a4b7c9b1f7aa53a1f53564bf4ff5c74361a
RedLineStealer
+ 1'129 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210812-jpatcgb6ge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
2.56.59.235:7188
Unpacked files
SH256 hash:
a95b23b547ae3aff9e20263b260ed01f94e21e5ab67b520c95dc2226367d96f6
MD5 hash:
034f6c0f7a231121f8d60879898b0d9c
SHA1 hash:
cfc30caaf8a1c476536ff131b807c8bf277fff38
Link:
https://www.unpac.me/results/0bfdbbc4-bef2-43fe-86ce-85e4233bd305/
SH256 hash:
d8019ac551d2280d6c53c4efb713b8b4be32782a9c8c64d8317d82df5643445c
MD5 hash:
63e05f6edfec0762c6c6f40117211df2
SHA1 hash:
93b51844a533be82de51e4fd12569a8c2a4f961e
Link:
https://www.unpac.me/results/0bfdbbc4-bef2-43fe-86ce-85e4233bd305/
SH256 hash:
ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc
MD5 hash:
6057ce35bd926dd6d49dedfa9cc18372
SHA1 hash:
1f4e44e1740ffbd91129ac3a37d22845bc52c158
Link:
https://www.unpac.me/results/0bfdbbc4-bef2-43fe-86ce-85e4233bd305/
SH256 hash:
5633314db4cd680796bc5071bd9a8d0ded1c43e4d4178c431fe5882646816b89
MD5 hash:
72b765579f21b2411f0d32b53fed6404
SHA1 hash:
e0a24a795e502e16b2fedc178a22a9c41e6edbe1
Link:
https://www.unpac.me/results/0bfdbbc4-bef2-43fe-86ce-85e4233bd305/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5633314db4cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/5633314db4cd680796bc5071bd9a8d0ded1c43e4d4178c431fe5882646816b89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/178749/

Comments