MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70c093150fa3fde11e3929a1f232ab3a9183efc85bc324e47806eb228cd1c891. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	70c093150fa3fde11e3929a1f232ab3a9183efc85bc324e47806eb228cd1c891
SHA3-384 hash:	d95e2446ad2e6d7ca43bae6964d4a96dc542256a09befd9e5e0f4a46b7664326dca830c724d7a568a3e293931cc98ce8
SHA1 hash:	ab98697709525e0a5a2161fb0ac59e70b39ad489
MD5 hash:	7b045591eb7bd3120e8abb6085b4961e
humanhash:	massachusetts-zebra-july-princess
File name:	QUOTE_GMC88920018892PDF.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'025'536 bytes
First seen:	2021-05-24 15:47:56 UTC
Last seen:	2021-05-24 16:02:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:GJqyBUUcwYVmbrfkgI43bANcGhUWsjTGvPXqECm4nRVixe98TD4MseMrek8xUyqN:GWUcwYVycCMNcGhUWsGv/abweGfr4Z
Threatray	384 similar samples on MalwareBazaar
TLSH	C025389D11AAA01BC118C2B899C5AA67E450DF373631AA15FCC3BF8D6B31FD074521BE
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QUOTE_GMC88920018892PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-05-25 01:27:43 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/7bbab2db-aff4-484f-8c57-85bda0073848

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Remcos-9846521-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/790549

Signature

.NET source code contains very large strings

Found many strings related to Crypto-Wallets (likely being stolen)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses dynamic DNS services

Uses known network protocols on non-standard ports

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70c093150fa3fde11e3929a1f232ab3a9183efc85bc324e47806eb228cd1c891/

Threat name:

ByteCode-MSIL.Packed.Generic

Status:

Suspicious

First seen:

2021-05-24 15:48:12 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=odajgfipup66chrzfgq7emvlhkiyh36ilpbsjzdya3vsfdgrzciq._file

Verdict:

malicious

RedLineStealer

864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096

RedLineStealer

95cd8d4bc79853ac7a2a8b7b990cd33937db02fb3ee7b4650d5add5609687e91

RedLineStealer

a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d

RedLineStealer

cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30

RedLineStealer

d297909c5beef3cdc63c28a941d7e14e90472bee97389f7021bcc2b9b4be21f4

RedLineStealer

f037bf66b6f50392119e4c163d9b0fbea6d2fec0d9f1c6338889cc9de619887e

RedLineStealer

f255df45c7572d4034a214a87819554dc186a8d325f6930c0b37e15ce1d75821

RedLineStealer

f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3

RedLineStealer

fb4b3f42369b356e01ff430cc836d9291693cd54f7073f4293f0277c3450b500

RedLineStealer

+ 374 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210524-5c2yd9kn1s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

nano957.duckdns.org:54649

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/70c093150fa3fde11e3929a1f232ab3a9183efc85bc324e47806eb228cd1c891

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

exe 70c093150fa3fde11e3929a1f232ab3a9183efc85bc324e47806eb228cd1c891

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample