MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56b6e77cb47f584b19d5641cc4ff9e47922dd20028bb9c47afc26aeb9780a661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56b6e77cb47f584b19d5641cc4ff9e47922dd20028bb9c47afc26aeb9780a661
SHA3-384 hash: 0e89c535b40dd4b8c9fd78c885d898eb49ebebfb772a8741587a61b97e199854af3b1e0ab0b73fb6ea51ed9c8a474e01
SHA1 hash: 82269777019a12bbdd83308d132ffad6f478defd
MD5 hash: cd535684a1e3500a157c0f181a69d4dd
humanhash: oklahoma-green-charlie-eighteen
File name:cd535684a1e3500a157c0f181a69d4dd
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'403'904 bytes
First seen:2021-11-19 01:19:59 UTC
Last seen:2021-11-19 03:01:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep 24576:yINx3dmR2rQLKRgG5qzdpaeewCrC3WW5kEaHNYK3t+K5Dyox5C:13dmn+odpa7rCGW5Nar+M1C
Threatray 318 similar samples on MalwareBazaar
TLSH T1AC55337D27D9CF2DC9C5B6B33A3A1A870B4E5D54A4C1B210B3ED1B2C0DB85B6A924347
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd535684a1e3500a157c0f181a69d4dd
Verdict:
Malicious activity
Analysis date:
2021-11-19 01:26:19 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5e592db9-bfc0-4d67-a3f8-f583015954af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/6196fbc62695a62af9f371b5/reports/54f37719-c19b-4cc7-ad62-c8fa682f8633/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9258928b-1ad7-4134-b6fc-bf9cacc8ef24
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892398
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56b6e77cb47f584b19d5641cc4ff9e47922dd20028bb9c47afc26aeb9780a661/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 03:23:53 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1bd828797937b0a573cbba02d61eb01e2120f51a6f47e701a4c1e6ab2a5399f0
RedLineStealer
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
RedLineStealer
4cf588b87b8697aecc8c5c0cc516b3de86b15ea5185191949e54282d6bde34b9
RedLineStealer
6077f0663a7475cff6c26539fca712b3300c21d81a9439b3f76900457532c401
RedLineStealer
a3e0d1640ad8b3cd669fb283acbda05f77280144414de6b88dae5009c55b5872
RedLineStealer
c0187c53d096fcf18afd91727cda5ed43f290a33b948d9d11afc0f65e2cc4b23
RedLineStealer
c8079935847aabf765d463162c47a4b10e80954353bd633377ab076aa73e8952
RedLineStealer
cbeafcb1b8e209794f255e1f689a636a22e2e4fc9017a9cfb839ac02e99c378e
RedLineStealer
df3f1453ac8a57eb0f8bcf8d36db69471d3fa754c1be5b352a9e2699d57b28c4
RedLineStealer
ebd2638b8cb8c64f869779415eb8f6cb28da23a42f3301f55f5a40b931581634
RedLineStealer
+ 308 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:my evasion infostealer spyware trojan
Link:
https://tria.ge/reports/211119-bp4m4sbfd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
91.243.59.56:61911
Unpacked files
SH256 hash:
a0191817485f9eefd1b45da9286418eac6286264bdd5e21ef000d84d6e405aa1
MD5 hash:
03ea96be6a5986294fab4a99d215dcf1
SHA1 hash:
83af5a247e56efc0a5026e0c21b7e4cb383b4d99
Link:
https://www.unpac.me/results/47c016fd-f838-4c2b-ac47-1ec40ecb80b2/
SH256 hash:
56b6e77cb47f584b19d5641cc4ff9e47922dd20028bb9c47afc26aeb9780a661
MD5 hash:
cd535684a1e3500a157c0f181a69d4dd
SHA1 hash:
82269777019a12bbdd83308d132ffad6f478defd
Link:
https://www.unpac.me/results/47c016fd-f838-4c2b-ac47-1ec40ecb80b2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/56b6e77cb47f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/56b6e77cb47f584b19d5641cc4ff9e47922dd20028bb9c47afc26aeb9780a661

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 56b6e77cb47f584b19d5641cc4ff9e47922dd20028bb9c47afc26aeb9780a661

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207445/
  
URLhaus
https://urlhaus.abuse.ch/url/1800224/

Comments


Avatar
zbet commented on 2021-11-19 01:20:01 UTC

url : hxxp://host-file-host0.com/files/5028_1637095789_3971.exe