MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b52ea913b7eb0e3ece4410ddc5637da7f9dcbf8889302ee7e73fa220ba2c53c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b52ea913b7eb0e3ece4410ddc5637da7f9dcbf8889302ee7e73fa220ba2c53c
SHA3-384 hash: 7cc20bd03bebfdea0b85b222f0159708767ebf5c5c24fbb9b0143ec21efea53c4ea96bda73e223a68902df15ef27b674
SHA1 hash: 25be37fd4fd33634cea0a17cbb369f48dd1a1e72
MD5 hash: 912c9b44fd2945560bb3b479c170b0f5
humanhash: glucose-cat-chicken-maryland
File name:DogeTab.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'953'583 bytes
First seen:2021-07-20 09:42:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e98d9a5a72c8d7ad8fb7a6a58b3daf (60 x GuLoader, 20 x AZORult, 12 x RemcosRAT)
ssdeep 49152:MHn+XHE+KP3XQqNXqlfMFEwNCBZgJgJPEYKrNh21HXp+FiuVWVRAy03jzzZXPnB:MeXHg96VVeCngJKMYK215+Vtygj/ZvB
Threatray 4 similar samples on MalwareBazaar
TLSH T13BD533D34A008972DD15873A1E9365A22BBA5C81C7B72F5F92AC336B0DB3914DD0BE1D
Reporter JAMESWT_WT
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Progress Software Corporation
Issuer:Symantec Class 3 SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-01-03T00:00:00Z
Valid to:2020-01-16T23:59:59Z
Serial number: 6b24230a1f4158a8a8b9ecc7a54963d8
Thumbprint Algorithm:SHA256
Thumbprint: 9c33ea2ac955f53de2700a18644314fd491559f569b45e0e0dc64f62bc0f4bdb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DogeTab.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 09:43:40 UTC
Tags:
teamviewer tvrat rat trojan
Link:
https://app.any.run/tasks/2d7b3cfa-8821-4b62-9610-3d5b0f87b288

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172759/
Detection(s):
SecuriteInfo.com.TR.Spy.Gen.10063.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Banker1.30494.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b4d8000-7a32-4f7b-ba0e-d5ef60402abf
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818799
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451206 Sample: DogeTab.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Antivirus detection for URL or domain 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 9 other signatures 2->73 9 DogeTab.exe 41 2->9         started        12 build.exe 2->12         started        14 msci.exe 2->14         started        process3 file4 47 C:\Users\user\AppData\Local\...\avicap32.dll, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->49 dropped 51 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 9->51 dropped 53 9 other files (none is malicious) 9->53 dropped 16 cmd.exe 1 9->16         started        process5 process6 18 msci.exe 2 9 16->18         started        23 conhost.exe 16->23         started        dnsIp7 61 master14.teamviewer.com 185.188.32.24, 49740, 49741, 49742 TEAMVIEWER-ASDE Germany 18->61 63 contentmy.com 185.181.164.216, 49746, 49747, 80 PINDC-ASRU Ukraine 18->63 65 7 other IPs or domains 18->65 43 C:\Users\user\AppData\Local\Temp\build.exe, PE32 18->43 dropped 45 C:\Users\user\AppData\Local\Temp\argent.exe, PE32 18->45 dropped 79 Contains functionality to detect sleep reduction / modifications 18->79 25 argent.exe 3 18->25         started        28 build.exe 1 18->28         started        31 cmd.exe 1 18->31         started        file8 signatures9 process10 file11 81 Multi AV Scanner detection for dropped file 25->81 83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->83 85 Machine Learning detection for dropped file 25->85 91 2 other signatures 25->91 33 argent.exe 15 28 25->33         started        55 C:\Users\user\AppData\Roaming\...\build.exe, PE32 28->55 dropped 87 Antivirus detection for dropped file 28->87 89 Drops PE files to the startup folder 28->89 37 build.exe 28->37         started        39 conhost.exe 31->39         started        41 reg.exe 1 1 31->41         started        signatures12 process13 dnsIp14 57 194.226.139.106, 25644, 49778, 49781 RUSAGRO-ASRU Russian Federation 33->57 59 api.ip.sb 33->59 75 Tries to harvest and steal browser information (history, passwords, etc) 33->75 77 Tries to steal Crypto Currency Wallets 33->77 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b52ea913b7eb0e3ece4410ddc5637da7f9dcbf8889302ee7e73fa220ba2c53c/
Threat name:
Win32.Virus.TheRat
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 15:58:50 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0ed0c776fd482bbce2989268f0ea7e54c94a56c843a261a9241e1d761224ba17
RedLineStealer
2b802605ece335f6ff05062be544b40fc7e939c69391fbbaa4e930f5d621d064
RedLineStealer
6aad0a6b01ada93c5561a2d131eba960760dacbd8e998070adc9abbfafe7bace
RedLineStealer
c05a5e19234c1647076dbbe2c35669e752c506beea33799718713f790064ea8d
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210720-ajkppc2kzn/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
194.226.139.106:25644
Unpacked files
SH256 hash:
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
MD5 hash:
b0c77267f13b2f87c084fd86ef51ccfc
SHA1 hash:
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
SH256 hash:
062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3
MD5 hash:
eac1c3707970fe7c71b2d760c34763fa
SHA1 hash:
f275e659ad7798994361f6ccb1481050aba30ff8
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
SH256 hash:
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
MD5 hash:
b9380b0bea8854fd9f93cc1fda0dfeac
SHA1 hash:
edb8d58074e098f7b5f0d158abedc7fc53638618
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
SH256 hash:
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e
MD5 hash:
d7778720208a94e2049972fb7a1e0637
SHA1 hash:
080d607b10f93c839ec3f07faec3548bb78ac4dc
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
SH256 hash:
e6e2c66ab0db6f57d6be5e7d2f144144fa7ceec018d5c80eab572ff76983939b
MD5 hash:
e6083e130e1af0796b767cf71d145fe2
SHA1 hash:
e97a209dbe581263e2d33f80e250e921569c055f
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
SH256 hash:
813bdcd4a5ae12d6bf754cf6f82cb31c2b81c027942455919738b9d2c0caf109
MD5 hash:
1a379b5e3a12576d1e243a44c19b5e53
SHA1 hash:
9cf811c9269937480e638f18a8900fc6b3618a54
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
SH256 hash:
21d1da36a2515e8684fc32897fff081352faaff921de2fcdcad569e0d57b08d4
MD5 hash:
388b59fe1a949f2cd017a09da4a7fa6c
SHA1 hash:
4d61d593dca95c79b992cdcd63649224231696f8
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
SH256 hash:
9ac8718596c4d65075944dbc773c3acba62d2e8d3b956fadc51ea38024f63a3a
MD5 hash:
d08a9112d2afdfe596a9767ba72c7626
SHA1 hash:
77778da3f33fbd572e5b45b1dcd5949b88a02814
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
SH256 hash:
6b52ea913b7eb0e3ece4410ddc5637da7f9dcbf8889302ee7e73fa220ba2c53c
MD5 hash:
912c9b44fd2945560bb3b479c170b0f5
SHA1 hash:
25be37fd4fd33634cea0a17cbb369f48dd1a1e72
Link:
https://www.unpac.me/results/146f73a2-2598-4980-be9f-318258cb8cd6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b52ea913b7eb0e3ece4410ddc5637da7f9dcbf8889302ee7e73fa220ba2c53c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172759/

Comments