MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 726bd8e077f8268ecfd6aa32ae684192a42fa69d2dc6f6d7c649f9292941e8e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments 1

SHA256 hash:	726bd8e077f8268ecfd6aa32ae684192a42fa69d2dc6f6d7c649f9292941e8e1
SHA3-384 hash:	c6fd41dc2ed84878fd3c0a5823cd49e831fec7dbf0c505dc0bd217d819d70841baab303cccd85d4adb465e9f006d7771
SHA1 hash:	7eb6f6e80b0a0967bb3ebd003e5ef93409f5a422
MD5 hash:	72959b32866bab9dac005c45f52f8c00
humanhash:	apart-mountain-lion-emma
File name:	72959b32866bab9dac005c45f52f8c00
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	203'264 bytes
First seen:	2022-03-08 17:41:04 UTC
Last seen:	2022-03-08 19:58:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:CTfi4Y1mr0aRxgwFZ73gHNSOeUi++9zJ0f7mb:ML4O/ZZUi5D0
Threatray	4'506 similar samples on MalwareBazaar
TLSH	T17314D01537DC0F26DA7E07B621202004CBF1646B6675E6A8BDDA75EF2B7AF110621F23
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/248414/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.44251.5691.32149.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62279ad80cd58dbd926882e8/reports/4af95dc0-84c9-486d-b00a-ba09f9ad1936/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db43772f-a13f-4451-8a2b-0374440c389c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/952846

Signature

.NET source code contains potential unpacker

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/726bd8e077f8268ecfd6aa32ae684192a42fa69d2dc6f6d7c649f9292941e8e1/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2022-03-08 00:40:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

4543a3d8d235564d4ee40c91668182795956ab149c15fb08afdc89111ab80082

RedLineStealer

8411282e09396eeac60b64899b70e5aa2260aa2d105a928a974cb467e2c8f5eb

RedLineStealer

903b3a81d1dd914891b70988502628c89e88099e7b1edf3a34d0624d1d396938

RedLineStealer

de1ae614a8a926b44989594d2bd4615c14700e575662d7c4689789d6b228f79e

RedLineStealer

e3bba340e5b42d375a326d4e55dab9060425b629c2d6f6ce46b1c46d2ec16371

RedLineStealer

+ 4'496 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:001 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220308-v925kahgh6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Downloads MZ/PE file

RedLine

RedLine Payload

Malware Config

C2 Extraction:

141.98.80.159:25730

Unpacked files

SH256 hash:

15b358ccfeee10ee99361d0815b0bd8f04c000234c119ecf4286706526405a6d

MD5 hash:

11fb14230ca5d3d27f7f0f260d148e6c

SHA1 hash:

4e3c5518df00005654d0450311dd358de61cb833

Link:

https://www.unpac.me/results/7df6950c-cb63-4167-938e-28b0c0b0874e/

SH256 hash:

726bd8e077f8268ecfd6aa32ae684192a42fa69d2dc6f6d7c649f9292941e8e1

MD5 hash:

72959b32866bab9dac005c45f52f8c00

SHA1 hash:

7eb6f6e80b0a0967bb3ebd003e5ef93409f5a422

Link:

https://www.unpac.me/results/7df6950c-cb63-4167-938e-28b0c0b0874e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/726bd8e077f8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/726bd8e077f8268ecfd6aa32ae684192a42fa69d2dc6f6d7c649f9292941e8e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.