MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
SHA3-384 hash: 93e8aa3919f7597a196901fdab30f9665175bb2f370addfc068345b53252b2d5d1de68681b44db2e4a66206932457bdb
SHA1 hash: f40891e66c3b6a568a822a6a09868370ea80a3a1
MD5 hash: 5c8f76ef10a7d2493dec6399c4225a73
humanhash: music-saturn-don-five
File name:5c8f76ef10a7d2493dec6399c4225a73.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'053'104 bytes
First seen:2020-07-31 08:36:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:YQEhMzeNJBjAObi4M2rIDTU4fmj6J/d5JJXuE6YBp5:YQEhM8BfbiyrIDovj6llJXv6YB
Threatray 12 similar samples on MalwareBazaar
TLSH 22251205B6CE8610FEA9C530A17986814776FC40BE22C3D31791FAD14FA5B728D25BAB
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://zeave.xyz/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36368/
Detection(s):
PUA.Win.Adware.Browsefox-6628766-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.MSIL.Krypt.11.1240.9175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Delayed writing of the file
Launching a process
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Using the Windows Management Instrumentation requests
Connection attempt
Launching a tool to kill processes
Deleting of the original file
Unauthorized injection to a system process
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/405792
Signature
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255245 Sample: jQcEDM33ao.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 72 45 zeave.xyz 2->45 47 g.msn.com 2->47 49 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->49 57 Yara detected RedLine Stealer 2->57 59 Uses ping.exe to sleep 2->59 61 Machine Learning detection for sample 2->61 63 3 other signatures 2->63 11 jQcEDM33ao.exe 1 6 2->11         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 43 C:\Users\user\...\SpKWlRpqQTmGoYMEl.com, COM 11->43 dropped 16 cmd.exe 1 11->16         started        19 powershell.exe 21 11->19         started        process6 signatures7 55 Drops PE files with a suspicious file extension 16->55 21 cmd.exe 2 16->21         started        25 conhost.exe 16->25         started        27 conhost.exe 19->27         started        process8 file9 41 C:\Users\user\AppData\Local\...\explorer.com, PE32 21->41 dropped 65 Uses ping.exe to sleep 21->65 29 explorer.com 21->29         started        31 PING.EXE 1 21->31         started        34 certutil.exe 2 21->34         started        signatures10 process11 dnsIp12 36 explorer.com 29->36         started        53 127.0.0.1 unknown unknown 31->53 process13 dnsIp14 51 BRHlEL.BRHlEL 36->51 39 RegAsm.exe 36->39         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-07-31 01:27:00 UTC
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mn6roi4v7b3kop3xi5wcvmjgdyujxdyshfirayt2psjvqoyrzbua._file
Verdict:
unknown
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
RedLineStealer
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
RedLineStealer
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
RedLineStealer
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
RedLineStealer
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
RedLineStealer
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
RedLineStealer
c6a810bf84ea3fd17a282d2a10bec7811c79ff751d5dbcf9eb84cff95f1fd5ba
RedLineStealer
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
RedLineStealer
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
RedLineStealer
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
RedLineStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer infostealer family:redline spyware discovery persistence trojan family:agenttesla
Link:
https://tria.ge/reports/200731-ve35kw7mn6/
Behaviour
Kills process with taskkill
Modifies registry class
Checks whether UAC is enabled
Enumerates system info in registry
Modifies Control Panel
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Program crash
Checks installed software on the system
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
AgentTesla Payload
RedLine
AgentTesla
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/36368/
  
URLhaus
https://urlhaus.abuse.ch/url/408894/
  
Delivery method
Distributed via web download

Comments