MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 700480ffbe06361d5cfb7e98e637acc79877b90104d6ca2d90ccd1e7eebac416. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 7 File information Comments

SHA256 hash:	700480ffbe06361d5cfb7e98e637acc79877b90104d6ca2d90ccd1e7eebac416
SHA3-384 hash:	ca2399c50c85540f255a9cc8d5c36907d4154193ed3c4640d9cbc0fbd0602d474a0526eedd0088fc92a85155150c9a8a
SHA1 hash:	f12befeabb457a2dc97d32b64ae2a03ce3ce4a0f
MD5 hash:	09fce5f987c3a4cb1733c9b9c4b8b560
humanhash:	neptune-xray-illinois-vermont
File name:	SecuriteInfo.com.W32.MSIL_Kryptik.EOQ.genEldorado.6402.13004
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	644'000 bytes
First seen:	2022-06-01 14:43:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	12288:Dbyu6HuomcdCHG2PtQPUgF2JHUK9zZ4QE:iHqcSPtF8wHUKxE
Threatray	2'045 similar samples on MalwareBazaar
TLSH	T108D4DF1932E82F17C52EDEB2C425DDB953367DDB7C41EB4A4987F20A1C7220E892E45E
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Qualify
Issuer:	Qualify
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-06-01T10:58:26Z
Valid to:	2023-06-01T10:58:26Z
Serial number:	e59276e34dfb1a4ad2f064b60ee0af34
Thumbprint Algorithm:	SHA256
Thumbprint:	d63ef66f2c389bec92eb7031d61d6f25d66822dd018dd65b5648eb32dc688615
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

371

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.MSIL_Kryptik.EOQ.genEldorado.6402.13004

Verdict:

Suspicious activity

Analysis date:

2022-06-01 15:16:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9a1de91d-2cd6-460a-8cde-b2b78ee87890

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276128/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.EOQ.genEldorado.6402.13004.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Adding an access-denied ACE

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Sending a custom TCP request

Sending an HTTP POST request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Reading critical registry keys

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d660ca1c-9247-4aa6-8ee8-4fb29e9868fc

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1005178

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to hide user accounts

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected RedLine Stealer

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/700480ffbe06361d5cfb7e98e637acc79877b90104d6ca2d90ccd1e7eebac416/

Threat name:

ByteCode-MSIL.Trojan.RedlineStealer

Status:

Malicious

First seen:

2022-06-01 11:42:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oacib756ay3b2xh3p2momn5my6mhpoibatlmulmqzti6p3v2yqla._file

Verdict:

malicious

RedLineStealer

50c32136e5f1aa6af7adb8bca7737e659401097931357156344583e7f5595014

RedLineStealer

700480ffbe06361d5cfb7e98e637acc79877b90104d6ca2d90ccd1e7eebac416

RedLineStealer

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01

RedLineStealer

b618d6a08d5d165812cef6e3f1239b33bd4ab60971c3a41d1da8fc22bfb9ac9a

RedLineStealer

c71775afd82043e34a09cf99d4ca571b52e9be5c4d808af8ef2c6f1333e9c335

RedLineStealer

e7913058bbde80f5b9088b0b41a132b0d9c09e1973f9bf2199d355cf7620bf12

RedLineStealer

fd4c999083d99e6c8898be8cd29d281922d49754a1c7adb1b4d8bb0e7f69bb19

RedLineStealer

+ 2'035 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:xl discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220601-r35qbscggp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

37.0.8.130:16913

Unpacked files

SH256 hash:

f729c7576c959c5c34e33d99df88da4b27647779f202e652b5582ee1b7377acb

MD5 hash:

379823d8d1b006553312ee5f4b1f4303

SHA1 hash:

79be9b96163560393056532f63d7e777257e9082

Link:

https://www.unpac.me/results/39c36fc3-1482-4984-af39-9e623b335231/

SH256 hash:

70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082

MD5 hash:

5951b52c9b4d11ca7f4f33e5a3fb2c31

SHA1 hash:

0bc54fd699fff7b93e5c447a141c0d904924ab0d

Link:

https://www.unpac.me/results/39c36fc3-1482-4984-af39-9e623b335231/

SH256 hash:

700480ffbe06361d5cfb7e98e637acc79877b90104d6ca2d90ccd1e7eebac416

MD5 hash:

09fce5f987c3a4cb1733c9b9c4b8b560

SHA1 hash:

f12befeabb457a2dc97d32b64ae2a03ce3ce4a0f

Link:

https://www.unpac.me/results/39c36fc3-1482-4984-af39-9e623b335231/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/700480ffbe06361d5cfb7e98e637acc79877b90104d6ca2d90ccd1e7eebac416

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276128/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample