MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e04fd1dbb733087f3ef4de2d2778d0696f6228cb2e07f586c999dd39d960f16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	5e04fd1dbb733087f3ef4de2d2778d0696f6228cb2e07f586c999dd39d960f16
SHA3-384 hash:	ba507777d024864743c5e59cd47b661f7a0d54f8b7b8dafa7ad506c3c4c6e99bd7809028d3b7e067a68a9c3acfacbdef
SHA1 hash:	461b9d241db746ba9a1f688c478d1233fc58de94
MD5 hash:	459173176117c3a0a6f3b530f4fde44b
humanhash:	sierra-nitrogen-robin-oven
File name:	Salterns.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	887'296 bytes
First seen:	2021-10-06 20:32:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'841 x AgentTesla, 19'773 x Formbook, 12'296 x SnakeKeylogger)
ssdeep	12288:oLdSMHV6xx6ZEVF32EuR4xAUzHmKi5qKoNvMStir/OcHWARuH5fu35V3kbE03iqA:oLV4L50
Threatray	57 similar samples on MalwareBazaar
TLSH	T19615372868BFD01951B3EF912EDCA8FBDD9A55E3640D743710A4632B8B52B80DE4F439
Reporter	Anonymous
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
65.108.21.17:5417	https://threatfox.abuse.ch/ioc/231125/

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Enridged.zip

Verdict:

Malicious activity

Analysis date:

2021-10-05 23:32:51 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e3ae197a-5d7f-470b-bc68-e4cb627368cf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/195547/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.972-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615e080098a6280f39331f14/reports/c7b0426c-9006-44b9-a4bf-a200783411b8/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5279aa93-03df-4fe4-83e9-9ea796495969

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/865870

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e04fd1dbb733087f3ef4de2d2778d0696f6228cb2e07f586c999dd39d960f16/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-06 20:33:06 UTC

AV detection:

21 of 44 (47.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lycp2hn3omyip47pjxrne54na2lpmiumwlqh6wdmtgo5hhmwb4la._file

Verdict:

unknown

RedLineStealer

3d29b2a1a23b12a5134fbe8b17fe5ba0c87549e5671232eb9e842c2a55ad8f2b

RedLineStealer

70b67fb490756a02895239611d044a18ad4e719712611745fe5fd19c716e4e95

RedLineStealer

95cd8d4bc79853ac7a2a8b7b990cd33937db02fb3ee7b4650d5add5609687e91

RedLineStealer

a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d

RedLineStealer

cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30

RedLineStealer

d297909c5beef3cdc63c28a941d7e14e90472bee97389f7021bcc2b9b4be21f4

RedLineStealer

da95de4e9d6377d3fb8509f8c5ff35a47840158562a8e8d2fb8efe766aa857c4

RedLineStealer

df506f05d7e9b177966b890bafeb63f3b6636013838c889e7264e53a1d0d6063

RedLineStealer

f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3

RedLineStealer

+ 47 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211006-zbveaabef6/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

8fe5bce16d93d976b1a4344063ef64389c1c82b19deff2605a3d027e410dbf65

MD5 hash:

50e4de5b85630c960e0b26e02d9f4fcd

SHA1 hash:

f208e840e9a5de02dbaa6678a949bb339456ff8c

Link:

https://www.unpac.me/results/5cf2b3e9-f21f-4b3f-8a32-f3ca77354c09/

SH256 hash:

5e04fd1dbb733087f3ef4de2d2778d0696f6228cb2e07f586c999dd39d960f16

MD5 hash:

459173176117c3a0a6f3b530f4fde44b

SHA1 hash:

461b9d241db746ba9a1f688c478d1233fc58de94

Link:

https://www.unpac.me/results/5cf2b3e9-f21f-4b3f-8a32-f3ca77354c09/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5e04fd1dbb73/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/5e04fd1dbb733087f3ef4de2d2778d0696f6228cb2e07f586c999dd39d960f16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195547/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample