MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb
SHA3-384 hash: d5aed4a640fc09dc2e1efb2905057c4019b7c890ca4fcdaf500bdfdcb8cf7c1056f90660bbab5b6fbbfd1721a45cd157
SHA1 hash: 8e2c19b9247bb799a2f0191af144cdf2e85db099
MD5 hash: db78b6b4e4ace66632b1b7d746f1d716
humanhash: cola-nuts-cardinal-dakota
File name:db78b6b4e4ace66632b1b7d746f1d716.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:390'656 bytes
First seen:2020-12-07 19:01:29 UTC
Last seen:2020-12-07 20:38:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8199980e4fa11bb2eef21fa8f6072def (1 x RedLineStealer)
ssdeep 6144:8qprONykLCWtRm2YXSO6UBN+k2LaAa4TbuS0TLCK:LpaNyk2WHm2u2U8aAa4T6SECK
Threatray 171 similar samples on MalwareBazaar
TLSH 5384DF1176A1C472C03175716553CBBC9A6FB8B5E821DA4B2BC9E6B80F347D29A6230F
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://dovakl.xyz/IRemotePanel

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
db78b6b4e4ace66632b1b7d746f1d716.exe
Verdict:
Malicious activity
Analysis date:
2020-12-07 19:04:45 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/8de64c5a-2cc7-48f9-a890-191d5ac9131f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107081/
Detection(s):
PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/557247
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb/
Threat name:
Win32.Worm.Agobot
Create hunting rule
Status:
Malicious
First seen:
2020-12-07 19:02:05 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pl7pxjs6ol2csjn2o35ot2uyfbxp67inahomzud4meltqscyw25q._file
Verdict:
suspicious
Similar samples:
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
RedLineStealer
31239f4455170cbb223b36936011b6573c3a5a86ee32b55f0bba48d95f3c7f6d
RedLineStealer
5b4cbc85472de1347063a0fdacda8089e916ec37d4e079145a5d81bc3a57c0c5
RedLineStealer
5e05d90bcdb3ed152fbc447a2f30538affdb2e3c3f60fe4a548837123a423f45
RedLineStealer
9cab8335127ff3b44cf40b02a517395c6ed9f29ff6485124543a2ffa97ad4682
RedLineStealer
9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
RedLineStealer
b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04
RedLineStealer
bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222
RedLineStealer
e956a58b3dfb4b71d0fddad3a02ffd5cc0c3413684b59e2f9f14fd3626250f1d
RedLineStealer
f272416d8cc43a319811db7fc8f6ac087785e2a3b173ecfe573b725952dd430f
RedLineStealer
+ 161 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201207-d8vsnes6hx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
671f2de885a15f6d4b03e928a7dd45a3db129525607d8e49905d3fb1398ece55
MD5 hash:
04a60dd808149ca53898b2cdf18cec63
SHA1 hash:
1ab993fd9e7621e3073d00dd168b84fd6d47b524
Link:
https://www.unpac.me/results/19462477-1612-4f68-93a9-95e33713c4c5/
SH256 hash:
812010441af23194d635156f9295b0d6f5525f83657ee7af21990f954fbbd4fa
MD5 hash:
1977e8003b9c489dfdc99313e09ba413
SHA1 hash:
71eee64b34902720f6d290081adad27ccd6b23e5
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/19462477-1612-4f68-93a9-95e33713c4c5/
SH256 hash:
97d6d7c5bf75454c4cec7bae1218c2a038e05bfaf7c7f7c208bce825dcfadc17
MD5 hash:
48ed6912264bdb9101cc99991a1b7ca1
SHA1 hash:
8200ea6e70e65ef8af4910cca9a3beed952954d2
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/19462477-1612-4f68-93a9-95e33713c4c5/
SH256 hash:
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb
MD5 hash:
db78b6b4e4ace66632b1b7d746f1d716
SHA1 hash:
8e2c19b9247bb799a2f0191af144cdf2e85db099
Link:
https://www.unpac.me/results/19462477-1612-4f68-93a9-95e33713c4c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/882082/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107081/

Comments