MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc
SHA3-384 hash: 6249f890389dbe682fef8184a4188d6bc50623ae9137532224c9dfcea7d102d4abcad98d04e6aaa0236af2dfd22b2eab
SHA1 hash: 96925278dbe4e2aa6734198f6df8cc7b00933bf2
MD5 hash: 6e085ae5b4d4cd497e9cf2087133d805
humanhash: arizona-bravo-alaska-music
File name:6e085ae5b4d4cd497e9cf2087133d805.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:985'226 bytes
First seen:2020-09-15 16:18:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:753uhFp6w6ai3OD1a/4yNo0DZ8lOXgkA9:75+hFpI33OD1a/K018lk
Threatray 12 similar samples on MalwareBazaar
TLSH DA2523B279A640F2D4C37D3019807B7799B1F3761B3458E767A04502BE762E19B3B28B
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60739/
Detection(s):
PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Deleting a recently created file
Creating a file
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP POST request to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/466910
Signature
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 285864 Sample: alEsvoJ9FQ.exe Startdate: 15/09/2020 Architecture: WINDOWS Score: 68 49 Multi AV Scanner detection for submitted file 2->49 51 Uses ping.exe to sleep 2->51 53 Uses ping.exe to check the status of other devices and networks 2->53 55 Sigma detected: Suspicious Certutil Command 2->55 9 alEsvoJ9FQ.exe 8 2->9         started        process3 signatures4 59 Contains functionality to register a low level keyboard hook 9->59 12 cmd.exe 1 9->12         started        14 cmd.exe 1 9->14         started        17 cmd.exe 1 9->17         started        process5 signatures6 19 cmd.exe 2 12->19         started        23 conhost.exe 12->23         started        61 Drops PE files with a suspicious file extension 14->61 25 conhost.exe 14->25         started        27 conhost.exe 17->27         started        process7 file8 41 C:\Users\user\AppData\Local\...\services.com, PE32 19->41 dropped 57 Uses ping.exe to sleep 19->57 29 services.com 19->29         started        31 PING.EXE 1 19->31         started        34 PING.EXE 1 19->34         started        36 certutil.exe 2 19->36         started        signatures9 process10 dnsIp11 38 services.com 29->38         started        45 127.0.0.1 unknown unknown 31->45 47 mpP.lnolS 34->47 process12 dnsIp13 43 MPpcGfJYiSc.MPpcGfJYiSc 38->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2020-09-15 16:20:07 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=octrpcoupre2apbvi6xmr3duvj3mioarvlfs3vb52rkvsdarulga._file
Verdict:
suspicious
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
RedLineStealer
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
RedLineStealer
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
RedLineStealer
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
RedLineStealer
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
RedLineStealer
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
RedLineStealer
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
RedLineStealer
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
RedLineStealer
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
RedLineStealer
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
RedLineStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer infostealer family:redline trojan spyware family:agenttesla persistence discovery
Link:
https://tria.ge/reports/200915-2qg7erp5pe/
Behaviour
Kills process with taskkill
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
RedLine
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/60739/
  
URLhaus
https://urlhaus.abuse.ch/url/461484/
  
Delivery method
Distributed via web download

Comments