MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68e3fd94b1f30d96efcb7eb78a8157734aaa94498428be2413b96eb875e033b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68e3fd94b1f30d96efcb7eb78a8157734aaa94498428be2413b96eb875e033b8
SHA3-384 hash: 360e58c2de03e1dd8e3275a94ed4ee3afc8c5ab24fcaa597462118e9ccb4b804817b1f894c891fee2216bf2e1cf61736
SHA1 hash: 3dcbde3a4e5a60d3eb03e69f6c704b071df4cc60
MD5 hash: 813e3167fad9fac636c116b816fe8113
humanhash: eight-seven-asparagus-illinois
File name:813e3167fad9fac636c116b816fe8113
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:446'464 bytes
First seen:2022-03-21 17:52:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:kfs4UgXkpb/a8PjoF2N4zkU9HesaMJcR/V:M00k17oF9zkU9HesId
Threatray 3'155 similar samples on MalwareBazaar
TLSH T1D494F11AA2F85766D0AA4FF11CF8A7F36561B5CBBC40E34C8409728C2667BD28D79D31
File icon (PE):PE icon
dhash icon fffef3f0791f8800 (1 x RedLineStealer, 1 x AZORult)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253733/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39291117.10732.25860.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Query of malicious DNS domain
Stealing user critical data
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe packed
Link:
https://www.filescan.io/uploads/6238bb85b94fb38cb4c5aa0c/reports/05df72e5-dc80-4a6b-b26b-47b225310e3b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLineStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad908488-cc60-47d5-a16e-af7e534073f3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961051
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68e3fd94b1f30d96efcb7eb78a8157734aaa94498428be2413b96eb875e033b8/
Threat name:
ByteCode-MSIL.Trojan.Mamson
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 15:36:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
27c106e7c9e455f880849d79759df345d2117aa2e2357696dabb51bc11adce8b
RedLineStealer
4088596950d2caffe223750d63f9b3ffd83aac1611748e82da11a244e90430d8
RedLineStealer
716b373d586926bb42f955ed155ac900e1d19494150d0539f22225b03d47f424
RedLineStealer
8486a418f9f04f24f3792559221ef2f13b613f9a6fab066a264211e52638fad7
RedLineStealer
9c8314de1486634c7612198f144f80cba26a2f79a65b657b6f17af33491c0998
RedLineStealer
dfa8a5144d89c3e1858c50b566bf1906e15491295cf5115d86b1d7209e15b557
RedLineStealer
e10e6de81f3af56db427e5c916171887171686ec46812dbebecee354f6c2a0cd
RedLineStealer
e2a3d9b8067133ddbcaedfc53e6f730cdb1df00db8d3255e98e63b6d49b67e24
RedLineStealer
fd55e0e52033ba78112d67d8b42c914316b019c73a87e5257ea22fde719afec7
RedLineStealer
+ 3'145 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1503 agilenet discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220321-wgaqaaddb7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
141.98.80.159:25730
Unpacked files
SH256 hash:
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
MD5 hash:
edd74be9723cdc6a5692954f0e51c9f3
SHA1 hash:
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
Link:
https://www.unpac.me/results/be96d703-3865-47b5-8b60-abf72169edcc/
SH256 hash:
68e3fd94b1f30d96efcb7eb78a8157734aaa94498428be2413b96eb875e033b8
MD5 hash:
813e3167fad9fac636c116b816fe8113
SHA1 hash:
3dcbde3a4e5a60d3eb03e69f6c704b071df4cc60
Link:
https://www.unpac.me/results/be96d703-3865-47b5-8b60-abf72169edcc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68e3fd94b1f30d96efcb7eb78a8157734aaa94498428be2413b96eb875e033b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 68e3fd94b1f30d96efcb7eb78a8157734aaa94498428be2413b96eb875e033b8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2109523/
Cape
Cape
https://www.capesandbox.com/analysis/253733/

Comments


Avatar
zbet commented on 2022-03-21 17:52:12 UTC

url : hxxp://file-coin-coin-10.com/files/4775_1647520667_6357.exe