MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6539c7adf3324f7741a203d986868dc97cf983520222eff900b89f184e1039f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6539c7adf3324f7741a203d986868dc97cf983520222eff900b89f184e1039f6
SHA3-384 hash: bb2ccd37f0839d08ebd3dbab0392e0ccb2cae09a4e1c01ba72c27896aeba364c84a22eac690aa664ed46a3f85e6a1123
SHA1 hash: 278194b4f1bf07fe339942c6e189a9486a663a13
MD5 hash: eac8b5992afe608fbe6bb4b842e476b4
humanhash: south-louisiana-illinois-pennsylvania
File name:PGMB772889910288.PDF.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:947'712 bytes
First seen:2020-10-23 06:58:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:V1UwaXdk8F61io5ZlOZV27gCxII8nzADEjp778qjJFIdH:VK1+5Pnmnaq7jjJKt
Threatray 9 similar samples on MalwareBazaar
TLSH 14157DC93200B5DFC413D4B28DAD5C70A66078BF831B820B6513666ED98E583DF5A6FB
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
Malspam distributing RedLineStealer:

HELO: usegreenco.com
Sending IP: 50.78.187.17
From: Lydia Yonkers<sales@usegreenco.com>
Subject: Quote Request
Attachment: PGMB772889910288.PDF.img (contains "PGMB772889910288.PDF.exe")

RedLineStealer C2:
http://hesmyela.xyz/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74953/
Detection(s):
SecuriteInfo.com.ArtemisEAC8B5992AFE.17432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Running batch commands
Launching a process
Sending a UDP request
Creating a window
Creating a file
Unauthorized injection to a recently created process
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507861
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303056 Sample: PGMB772889910288.PDF.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Detected unpacking (changes PE section rights) 2->59 61 16 other signatures 2->61 10 PGMB772889910288.PDF.exe 3 2->10         started        process3 file4 41 C:\Users\...\PGMB772889910288.PDF.exe.log, ASCII 10->41 dropped 73 Detected unpacking (changes PE section rights) 10->73 75 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->75 14 PGMB772889910288.PDF.exe 3 10->14         started        signatures5 process6 file7 43 C:\Users\user\AppData\Local\...\chrome.exe, PE32 14->43 dropped 45 C:\Users\user\...\chrome.exe:Zone.Identifier, ASCII 14->45 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 14->77 18 chrome.exe 3 14->18         started        21 cmd.exe 1 14->21         started        signatures8 process9 dnsIp10 63 Injects a PE file into a foreign processes 18->63 24 chrome.exe 15 22 18->24         started        28 chrome.exe 18->28         started        47 127.0.0.1 unknown unknown 21->47 65 Uses ping.exe to sleep 21->65 30 conhost.exe 21->30         started        32 PING.EXE 1 21->32         started        signatures11 process12 dnsIp13 49 api.ip.sb 24->49 51 hesmyela.xyz 5.253.63.137, 49746, 80 WORLDSTREAMNL Russian Federation 24->51 53 6 other IPs or domains 24->53 71 Tries to harvest and steal browser information (history, passwords, etc) 24->71 34 cmd.exe 1 24->34         started        signatures14 process15 signatures16 67 Uses ping.exe to sleep 34->67 69 Tries to harvest and steal browser information (history, passwords, etc) 34->69 37 conhost.exe 34->37         started        39 PING.EXE 1 34->39         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6539c7adf3324f7741a203d986868dc97cf983520222eff900b89f184e1039f6/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 03:08:39 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mu44plptgjhxoqncapmynbunzf6pta2sairo76iaxcprqtqqhh3a._file
Verdict:
suspicious
Similar samples:
082f1317f03b76584194dc5b800ed466cc1fbef34ef63a6019c2dc1de47212ed
RedLineStealer
22e8a783296dcabf49cb2c9b5f5a05b1cf670591e71130b08424a450aa54c419
RedLineStealer
253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1
RedLineStealer
33ca0e126781911285eecf450b3a6970e971abe3e03d6261186ec10674bf2319
RedLineStealer
551022935cb64a9df1e36625a3be468c99a25086b505a4dba1c533f3f749c7a4
RedLineStealer
70195e1ff5377fe53bd4faecadf3464e16c36d2859385a616ea6f343ff773ee7
RedLineStealer
b28088f23be9a22ed95c6ff500e48e8958c7fff6eb288f890665ec6399a6e2af
RedLineStealer
c68e4b825434bac34abd9d5428ea2c30fc60c8b47db17de743782825687547d5
RedLineStealer
fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla persistence discovery infostealer family:redline
Link:
https://tria.ge/reports/201023-jsh2szj1e2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
14805cd4ec8627a803069bd0e0a6eebf5f9ac92e27aea220c257931bdbb24e8d
MD5 hash:
5f9795f413b2a40b977c692fa4702e1c
SHA1 hash:
1a71243644bee93af38dde6b581e8b09582ca2fd
Link:
https://www.unpac.me/results/48492cb7-b2a4-4b50-bb60-adc66654bf3c/
SH256 hash:
6539c7adf3324f7741a203d986868dc97cf983520222eff900b89f184e1039f6
MD5 hash:
eac8b5992afe608fbe6bb4b842e476b4
SHA1 hash:
278194b4f1bf07fe339942c6e189a9486a663a13
Link:
https://www.unpac.me/results/48492cb7-b2a4-4b50-bb60-adc66654bf3c/
SH256 hash:
73d28afb310c7125d9586c7fb1e11c734803e6d1023fd62c5acb2119c47d7d83
MD5 hash:
e9920c32ea86f51ffcae9e2ecbf5c460
SHA1 hash:
ce0957d5b6e09812ad5739110d81dbe4825bec1e
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/48492cb7-b2a4-4b50-bb60-adc66654bf3c/
Parent samples :
6539c7adf3324f7741a203d986868dc97cf983520222eff900b89f184e1039f6
608d70c1cb35d04fa09469743651ee50e859d9ea016f7492bc53008de310deb7
SH256 hash:
e2c68ed43c65be6fdc243f07d392793ddee4b81349b408911bb11cd2020449a4
MD5 hash:
83aa7c84ca3f26ae638b16e7841f3f59
SHA1 hash:
e0b7f5c4acb9ef68a40fcb4d6608a5d655f4cb48
Link:
https://www.unpac.me/results/48492cb7-b2a4-4b50-bb60-adc66654bf3c/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/48492cb7-b2a4-4b50-bb60-adc66654bf3c/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

img ce7c720d27b3347a77b5d01b04c89252e385392ea639dc2bda0d1f48278bb849

RedLineStealer

Executable exe 6539c7adf3324f7741a203d986868dc97cf983520222eff900b89f184e1039f6

(this sample)

  
Dropped by
MD5 5126367ad19dba8d91820838faeeb93c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74953/
  
Dropped by
SHA256 ce7c720d27b3347a77b5d01b04c89252e385392ea639dc2bda0d1f48278bb849

Comments