MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84904a91de28f8aff1863d9831dddea0110e94761287579926e843b1b4046608. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 7 File information Comments 1

SHA256 hash:	84904a91de28f8aff1863d9831dddea0110e94761287579926e843b1b4046608
SHA3-384 hash:	72036e6a913d186f06ee06b3df63897d43df8c3555a726a2813ea0f4b6f171358d5be99a5ef88c9a1afd48bfcfba9807
SHA1 hash:	6b8bca9b8e5e8b32f198c37c08358533bb73a16e
MD5 hash:	69dd97850f63fac1927313fb9983ab58
humanhash:	jupiter-equal-oranges-twelve
File name:	69dd97850f63fac1927313fb9983ab58
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'194'808 bytes
First seen:	2021-07-22 11:14:01 UTC
Last seen:	2021-07-22 11:41:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:w3plS2a1uVYW0iWmYt+OSnBwukkmXmg+LvrY24+6CCdtUjmq0/3LOiVo/mRzLk2:w3lTWpjnvm5vYrdSUCmouzA2
TLSH	T1C145E5535AC1D652CD693AFB8E77923C92E2C3DD0223E616D92F53F32D127286A1E5C0
dhash icon	d4ccace968ecccca (1 x RedLineStealer, 1 x AZORult, 1 x RaccoonStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer signed

Code Signing Certificate

Organisation:	Exodus Movement Inc
Issuer:	DigiCert SHA2 Assured ID Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2018-08-30T00:00:00Z
Valid to:	2021-09-07T12:00:00Z
Serial number:	0f92c2415451ab1207404e9555788813
Thumbprint Algorithm:	SHA256
Thumbprint:	de0fa1a745145686da2bb6fcdead3873b33efd448ecead033e6010717c81c69b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
195.149.87.39:20170	https://threatfox.abuse.ch/ioc/162065/

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

69dd97850f63fac1927313fb9983ab58

Verdict:

Malicious activity

Analysis date:

2021-07-22 11:17:38 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/fc75a6bb-65f3-437b-a8a2-4f465132d272

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/173284/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37275266.22499.31185.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b102d0ff-a283-4b91-9b79-41749e08da01

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/820063

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84904a91de28f8aff1863d9831dddea0110e94761287579926e843b1b4046608/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-21 23:57:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qsieveo6fd4k74mghwmddxo6uaiq5fdwckdvpgjg5bb3dnaemyea._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:33344 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210722-pej62zxl9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

195.149.87.39:20170

Unpacked files

SH256 hash:

0425748693c24738626b410b213fb2cb5d4b6933be5e5c9852d26bdfd0e7a578

MD5 hash:

af514ec31be13c4a230deab40baf9d96

SHA1 hash:

cb798b16daf344d5f9464683af5093fc05999b21

Link:

https://www.unpac.me/results/728c2126-a6cc-4b69-9070-b296c9c529c7/

SH256 hash:

1d6606c0a6b4e50541aad903a9b349d7fa82bdb409d50cd03b9dfe5390df9b92

MD5 hash:

942085891d65c337a5c7e67ecc58cd4e

SHA1 hash:

c40e25a56f9bde6fb175ced2e37e24ea891d8044

Link:

https://www.unpac.me/results/728c2126-a6cc-4b69-9070-b296c9c529c7/

SH256 hash:

83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1

MD5 hash:

b1a7b752b6638ee03cffe5a1dde9213e

SHA1 hash:

52d215a173d2f293990f8c12fc7f4a86330a29cb

Link:

https://www.unpac.me/results/728c2126-a6cc-4b69-9070-b296c9c529c7/

SH256 hash:

6e8a220abae0c28bcc22ca3836600f55c4841bdcf1fe4c07bcf2381003de43e0

MD5 hash:

6005d0d0f5285aee8c7a931a8fa7a1f9

SHA1 hash:

1ee720522b26c34a851663538b1f9f3511aa5286

Link:

https://www.unpac.me/results/728c2126-a6cc-4b69-9070-b296c9c529c7/

SH256 hash:

d3cc35436a12a8d51f21b6604bb6965a434c82a6f17ee236d50c0ced4e6b1142

MD5 hash:

743b85674d1ca9c51220d164f5cdb930

SHA1 hash:

06bb80d675cf6c860aa3d743078cf412fbaed8de

Link:

https://www.unpac.me/results/728c2126-a6cc-4b69-9070-b296c9c529c7/

SH256 hash:

84904a91de28f8aff1863d9831dddea0110e94761287579926e843b1b4046608

MD5 hash:

69dd97850f63fac1927313fb9983ab58

SHA1 hash:

6b8bca9b8e5e8b32f198c37c08358533bb73a16e

Link:

https://www.unpac.me/results/728c2126-a6cc-4b69-9070-b296c9c529c7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/84904a91de28f8aff1863d9831dddea0110e94761287579926e843b1b4046608

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)