MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c82b47b3f2704735dc371304a37a9f57a8949c1367e027445fa277a948b0875. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c82b47b3f2704735dc371304a37a9f57a8949c1367e027445fa277a948b0875
SHA3-384 hash: c754321c03e93290a63c55349e8165d8b644569c79d43de81e72799b2cd7fb4a5505b8bf11ac8a3c9e740c0f67e8a96e
SHA1 hash: 341ab08a1b2d951080f89db0ffb49a455d86d6c0
MD5 hash: 84515ba27617fd0d6e6e61343c82ee56
humanhash: foxtrot-zebra-finch-magnesium
File name:Installer.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:428'544 bytes
First seen:2021-08-17 09:34:00 UTC
Last seen:2021-08-17 10:46:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:1KPCSvTvKhXQsutR5IXdoF+r2I1Fyjbl66A93LnYDttxU7Uu68ksVii:1BSvTkAXtvldA93LYzxOd69
Threatray 1'259 similar samples on MalwareBazaar
TLSH T15E940866B505148EEA6CAF28A89E116E2A519FF56C38CD9FFF530FC7511B42478F202C
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 09:38:09 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/c4edc82a-68e2-4cdd-bd0c-6f70ae4f836f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179923/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.61341.26820.10895.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Sending a UDP request
Deleting a recently created file
Launching a process
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Adding exclusions to Windows Defender
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/112ee3e2-2788-4d34-b5ee-8c57991a7451
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834237
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c82b47b3f2704735dc371304a37a9f57a8949c1367e027445fa277a948b0875/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 01:19:39 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nsbli6z7e4chgxodoeyeun5j6v5issobgz7ae5cf7itxvfelbb2q._file
Verdict:
malicious
Similar samples:
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
RedLineStealer
356726b20529e961530d6f9045365a126afccf42db8b47dbffb3aa222e55f78d
RedLineStealer
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
RedLineStealer
6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740
RedLineStealer
8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d
RedLineStealer
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
RedLineStealer
b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84
RedLineStealer
bb21c783c0ab2672f80d2cafee36a7108fa588ef17896be3f374c0c351a89dbc
RedLineStealer
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
RedLineStealer
ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c
RedLineStealer
+ 1'249 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:rich discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210817-acfnvyez1x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
95.217.248.44:11695
Unpacked files
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/39a0eab8-1db5-43e6-9dfd-3f9e92d3aa9d/
SH256 hash:
7505d867b7b11c40add2b62d4c59750767b9b45b4ecdbae830d6f470cb3c5af7
MD5 hash:
bc20cf700a2b896c52d6ec29cc263cbe
SHA1 hash:
3acda713ce39f26524c8a957c845e726e83081dd
Link:
https://www.unpac.me/results/39a0eab8-1db5-43e6-9dfd-3f9e92d3aa9d/
SH256 hash:
a0e0a182825a4165db5c07c1f72d37d8784f4e155a7e6a604dd01bb0d1cc1af8
MD5 hash:
4ba484f683216e2faef9c8b75d1c8ebe
SHA1 hash:
04efeca5c8a17370ed62559e53585c9a33e412f0
Link:
https://www.unpac.me/results/39a0eab8-1db5-43e6-9dfd-3f9e92d3aa9d/
SH256 hash:
6c82b47b3f2704735dc371304a37a9f57a8949c1367e027445fa277a948b0875
MD5 hash:
84515ba27617fd0d6e6e61343c82ee56
SHA1 hash:
341ab08a1b2d951080f89db0ffb49a455d86d6c0
Link:
https://www.unpac.me/results/39a0eab8-1db5-43e6-9dfd-3f9e92d3aa9d/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6c82b47b3f27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c82b47b3f2704735dc371304a37a9f57a8949c1367e027445fa277a948b0875

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179923/

Comments