MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
SHA3-384 hash: c1d820fa807536ee53d969c37a84669986709c3e9d4f05a2146e2261debea71525fefcbf48a168bb20640a7e93c8c1e3
SHA1 hash: bfba31cd013fa55124d64985c5fdce42d060e68a
MD5 hash: 1a1cde1aa11eb7bcc7fa63e1a6a710dd
humanhash: hot-oranges-failed-cup
File name:1A1CDE1AA11EB7BCC7FA63E1A6A710DD.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'464'660 bytes
First seen:2021-06-18 00:42:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:8bA3lvMSr+rObQps6K1jOSj62GKoCkuOX/+D3fnH50Q:8bZS2K1zG2GelDP50Q
Threatray 324 similar samples on MalwareBazaar
TLSH E8B52303F9D081B2D5229A324A68ABA1647EBD341F609EDB73E91A0CD6305D0E7357F7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.38.235.35:18463

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.38.235.35:18463 https://threatfox.abuse.ch/ioc/135611/

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1A1CDE1AA11EB7BCC7FA63E1A6A710DD.exe
Verdict:
Malicious activity
Analysis date:
2021-06-18 00:56:15 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c9e4276f-e533-449b-926c-aaa3e09d0463

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166688/
Detection(s):
Win.Malware.Generic-9872030-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3167907-85cf-4869-98d6-b4131f862d39
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804025
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Xmrig
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436437 Sample: qNLyS3UBN6.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 68 Sigma detected: Xmrig 2->68 70 Found malware configuration 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 9 other signatures 2->74 9 qNLyS3UBN6.exe 8 2->9         started        12 MemReduct.exe 3 2->12         started        process3 dnsIp4 56 C:\Users\user\AppData\...\sddasfdsaf.exe, PE32 9->56 dropped 58 C:\Users\...\ebVjUge5ki4KVkZglMTdJh5JX.exe, PE32+ 9->58 dropped 16 sddasfdsaf.exe 15 33 9->16         started        21 ebVjUge5ki4KVkZglMTdJh5JX.exe 7 9->21         started        66 192.168.2.1 unknown unknown 12->66 60 C:\Users\user\AppData\...\sihost32.exe, PE32+ 12->60 dropped 84 Multi AV Scanner detection for dropped file 12->84 86 Hijacks the control flow in another process 12->86 88 Machine Learning detection for dropped file 12->88 90 5 other signatures 12->90 23 cmd.exe 1 12->23         started        25 sihost32.exe 12->25         started        27 explorer.exe 12->27         started        file5 signatures6 process7 dnsIp8 62 193.38.235.35, 18463, 49744, 49748 RACKTECHRU Russian Federation 16->62 64 api.ip.sb 16->64 50 C:\Users\user\AppData\...\sddasfdsaf.exe.log, ASCII 16->50 dropped 76 Multi AV Scanner detection for dropped file 16->76 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->78 80 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->80 82 2 other signatures 16->82 52 C:\Users\user\AppData\Local\...\MemReduct.exe, PE32+ 21->52 dropped 54 C:\...\ebVjUge5ki4KVkZglMTdJh5JX.exe.log, ASCII 21->54 dropped 29 cmd.exe 1 21->29         started        32 sihost32.exe 21->32         started        34 MemReduct.exe 21->34         started        36 conhost.exe 23->36         started        38 schtasks.exe 1 23->38         started        file9 signatures10 process11 signatures12 92 Uses schtasks.exe or at.exe to add and modify task schedules 29->92 40 conhost.exe 29->40         started        42 schtasks.exe 1 29->42         started        94 Multi AV Scanner detection for dropped file 32->94 44 cmd.exe 34->44         started        process13 process14 46 conhost.exe 44->46         started        48 schtasks.exe 44->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 18:55:10 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=osytiggz6uhzjeqkvbyienzsmgcqswm62nvfpzcaymwb5hgzfdza._file
Verdict:
malicious
Similar samples:
2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5
RedLineStealer
5677b9d1528c45370a17cd4b68fc443862d4304ef1bca005c369c8c1d9158a62
RedLineStealer
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
RedLineStealer
a1a0ca95d42cb766533d9c4a8260cdcea4abab6d17214b711b7f366fbafe2413
RedLineStealer
b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994
RedLineStealer
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
RedLineStealer
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
RedLineStealer
e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808
RedLineStealer
ea50cc254fa1cc865d19d13bbdf206dc69092d6f723cb56a3843d74ba83e64a0
RedLineStealer
ffecd6261932159067dd93f5c1df26f8da517f37ded13d122db853c1c84e7924
RedLineStealer
+ 314 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210618-rmkfg3czqn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
MD5 hash:
1a1cde1aa11eb7bcc7fa63e1a6a710dd
SHA1 hash:
bfba31cd013fa55124d64985c5fdce42d060e68a
Link:
https://www.unpac.me/results/2ca1b7b1-c41e-40a7-93a0-ffdbb659975f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166688/

Comments