MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 566b744e0e0b789f5ba0502144328af1df9483cfbd80a0efc7437aec176c3ac6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 566b744e0e0b789f5ba0502144328af1df9483cfbd80a0efc7437aec176c3ac6
SHA3-384 hash: 7233c7b5c7d893c2b523e0f63d5a7fd5b092ce15bfd23a4c781fbd784b982dc97b8565b9606fe94c6a00f4dbc8a5bd6e
SHA1 hash: 2d050b2b99381ede6c179934d3492be20a05f3b5
MD5 hash: b76964a44b67b1f41a7f1feb9bfebe75
humanhash: uncle-may-lake-muppet
File name:b76964a44b67b1f41a7f1feb9bfebe75.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:334'848 bytes
First seen:2020-11-03 06:15:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 554395f21cb6fb7e6275ab428f9f4e95 (3 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 6144:MJEMvCZ+NGFCTZG7kp5VPMXtbyZlyQdZoD:MWUT7Zfp5VPytb8yR
Threatray 445 similar samples on MalwareBazaar
TLSH 7964D01175A0C572C06244315B64F2B4617ABC619AB89B473BD8FF2B2F31291FA7235F
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://eluveitie.xyz/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81930/
Detection(s):
SecuriteInfo.com.BackDoor.Generic12.AOUE.3057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/518833
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/566b744e0e0b789f5ba0502144328af1df9483cfbd80a0efc7437aec176c3ac6/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 18:37:41 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzvxitqobn4j6w5akaquimuk6hpzja6pxwakb36hin5oyf3mhlda._file
Verdict:
unknown
Similar samples:
08b695d45d297aea56ccc80bef7613eae070498512805243db8e4b887d2b2c8c
RedLineStealer
20b8b1c1b7aa1a707819434f2ce27db4d8d2b613da99b491f94ad44db1d241e0
RedLineStealer
5b4cbc85472de1347063a0fdacda8089e916ec37d4e079145a5d81bc3a57c0c5
RedLineStealer
7b6c0334b1cc26e87e6a071ed278dd0781634460e0de56245fc306624340fb21
RedLineStealer
837f559ca01a23667b2b344d47bf7caea2ad90498c8c34df03cad5bb748fcc33
RedLineStealer
89a5f32eeea38b1f18e8780bfdf95e5602fa66195c33460d55871e6edfbb8351
RedLineStealer
9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
RedLineStealer
b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04
RedLineStealer
e956a58b3dfb4b71d0fddad3a02ffd5cc0c3413684b59e2f9f14fd3626250f1d
RedLineStealer
f272416d8cc43a319811db7fc8f6ac087785e2a3b173ecfe573b725952dd430f
RedLineStealer
+ 435 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan family:redline discovery infostealer
Link:
https://tria.ge/reports/201103-hswnfjdd9s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
566b744e0e0b789f5ba0502144328af1df9483cfbd80a0efc7437aec176c3ac6
MD5 hash:
b76964a44b67b1f41a7f1feb9bfebe75
SHA1 hash:
2d050b2b99381ede6c179934d3492be20a05f3b5
Link:
https://www.unpac.me/results/d7e9d7a9-a8f0-4e49-9a53-66ba10c63282/
SH256 hash:
3d50c18ed805bfdd30f12549b24785953db88a5a1779e4ce7b44956adeae6e59
MD5 hash:
88b7b033196f5f3e3a6e3a5eca4d0462
SHA1 hash:
0ca05e1c4a7663065dc34874cebf9c3b46670e4e
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/d7e9d7a9-a8f0-4e49-9a53-66ba10c63282/
SH256 hash:
e1c3e4653ce94b1f62dcf656c4078dd4be941f176ee0ce538f96eb31ab965e6a
MD5 hash:
cadbe9ffaac8428beaa4cb3ec5e18e48
SHA1 hash:
9aa701656e0831ed59a4153364fce9dcf2c3a15a
Link:
https://www.unpac.me/results/d7e9d7a9-a8f0-4e49-9a53-66ba10c63282/
SH256 hash:
2f68de305b3fd8e49b8bf92885b136cbe4b17260008d81bc93f8bc2c583a0828
MD5 hash:
6de45c9387e8f3b593a99e7a7f46ad5f
SHA1 hash:
d696c0d844126ce676cc11fac6556293187a38f2
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/d7e9d7a9-a8f0-4e49-9a53-66ba10c63282/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/566b744e0e0b789f5ba0502144328af1df9483cfbd80a0efc7437aec176c3ac6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 566b744e0e0b789f5ba0502144328af1df9483cfbd80a0efc7437aec176c3ac6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/81930/
  
URLhaus
https://urlhaus.abuse.ch/url/759003/
  
Delivery method
Distributed via web download

Comments