MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76493231b5079b130b51b23a669c910a137a0e67fbabf59782de23dcf93a0d28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76493231b5079b130b51b23a669c910a137a0e67fbabf59782de23dcf93a0d28
SHA3-384 hash: 1e89092593dea30a66691ec20c81f61f69f6746729babf779bb21556986682f54d2d6c911dd982a44e8f8aaf1803582f
SHA1 hash: d80d2fa7b23396574738b35f94a2184bb98307a8
MD5 hash: abd1179ae904e45cd8262a79acabb15d
humanhash: apart-princess-delta-finch
File name:abd1179ae904e45cd8262a79acabb15d
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:67'072 bytes
First seen:2021-10-08 18:30:56 UTC
Last seen:2021-10-08 20:03:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:LJqWEyTs41Y9MKcPrMZ1IjsIG4sMVi7X25Ux0nEU/4Ty0x+WgWe7ryDARaj4mhyb:LJQNjTHIjsIGCiz2v/8HaykP
TLSH T17863B67B017550A6C1882730F8A50F4B7ABCD6351980B698B08FF2EADC1D69D9EF43B5
File icon (PE):PE icon
dhash icon cf8ba0cf99e462ad (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
440
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-08 18:26:25 UTC
Tags:
trojan rat redline evasion stealer vidar loader opendir
Link:
https://app.any.run/tasks/db83097c-8799-4f6d-8346-070b9a7dc1f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196238/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37748008.6879.11062.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61608e68e3d213d202bc0c28/reports/727906fa-9390-4be9-927b-8b8a2c62c17d/overview
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867277
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499703 Sample: ypvJe7UkpF Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected RedLine Stealer 2->70 72 .NET source code contains method to dynamically call methods (often used by packers) 2->72 74 4 other signatures 2->74 7 ypvJe7UkpF.exe 15 8 2->7         started        12 WinHoster.exe 2->12         started        14 WinHoster.exe 2->14         started        process3 dnsIp4 62 iplogger.org 88.99.66.31, 443, 49788, 49789 HETZNER-ASDE Germany 7->62 64 niemannbest.me 104.21.51.48, 443, 49764, 49778 CLOUDFLARENETUS United States 7->64 66 topniemannpickshop.cc 7->66 42 C:\Users\user\AppData\Roaming\7464207.scr, PE32 7->42 dropped 44 C:\Users\user\AppData\Roaming\6687945.scr, PE32 7->44 dropped 46 C:\Users\user\AppData\Roaming\5550741.scr, PE32 7->46 dropped 48 2 other malicious files 7->48 dropped 94 Detected unpacking (changes PE section rights) 7->94 96 May check the online IP address of the machine 7->96 98 Drops PE files with a suspicious file extension 7->98 16 3073848.scr 14 6 7->16         started        21 7464207.scr 7->21         started        23 2820706.scr 1 4 7->23         started        25 2 other processes 7->25 file5 signatures6 process7 dnsIp8 50 vwe.ckauni.ru 81.177.141.85, 443, 49792, 49861 RTCOMM-ASRU Russian Federation 16->50 52 querahinor.xyz 45.129.99.59, 49790, 81 GMHOSTUA Estonia 16->52 60 2 other IPs or domains 16->60 38 C:\Users\user\AppData\...\3073848.scr.log, ASCII 16->38 dropped 76 Detected unpacking (changes PE section rights) 16->76 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->78 80 Query firmware table information (likely to detect VMs) 16->80 92 3 other signatures 16->92 27 conhost.exe 16->27         started        54 178.63.26.132, 29795, 49825 HETZNER-ASDE Germany 21->54 82 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->82 84 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->84 86 Tries to steal Crypto Currency Wallets 21->86 29 conhost.exe 21->29         started        40 C:\Users\user\AppData\...\WinHoster.exe, PE32 23->40 dropped 88 Multi AV Scanner detection for dropped file 23->88 31 WinHoster.exe 23->31         started        56 the-lead-bitter.com 104.21.66.135, 443, 49782 CLOUDFLARENETUS United States 25->56 58 newbestpewpewcompany.com 25->58 90 Tries to harvest and steal browser information (history, passwords, etc) 25->90 34 conhost.exe 25->34         started        36 conhost.exe 25->36         started        file9 signatures10 process11 signatures12 100 Multi AV Scanner detection for dropped file 31->100 102 Detected unpacking (changes PE section rights) 31->102
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76493231b5079b130b51b23a669c910a137a0e67fbabf59782de23dcf93a0d28/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 17:34:38 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211008-w52hxaege4/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
d23cda9c667e35993dfe00f6c34193a07b874d814d74d07e26e6999611912c3c
MD5 hash:
c909a99c4a24f3dda8a0daf846c8fcd2
SHA1 hash:
2052fac1919e9cb7fdb42a97fa9aefa9575fe4f9
Link:
https://www.unpac.me/results/25566097-6672-47c5-81a5-b26c91688cbf/
SH256 hash:
76493231b5079b130b51b23a669c910a137a0e67fbabf59782de23dcf93a0d28
MD5 hash:
abd1179ae904e45cd8262a79acabb15d
SHA1 hash:
d80d2fa7b23396574738b35f94a2184bb98307a8
Link:
https://www.unpac.me/results/25566097-6672-47c5-81a5-b26c91688cbf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/76493231b507/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76493231b5079b130b51b23a669c910a137a0e67fbabf59782de23dcf93a0d28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 76493231b5079b130b51b23a669c910a137a0e67fbabf59782de23dcf93a0d28

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1639256/
Cape
Cape
https://www.capesandbox.com/analysis/196238/

Comments


Avatar
zbet commented on 2021-10-08 18:30:57 UTC

url : hxxps://www.marketingonline.com/21triggers/yanik/DownFlSetup999.exe