MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d3689555fe2d661aae711f0452288af2b4e4cdaecc3886964b3120872ae1fbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 3 File information Comments

SHA256 hash:	8d3689555fe2d661aae711f0452288af2b4e4cdaecc3886964b3120872ae1fbb
SHA3-384 hash:	e7e53bd4012c0d0358ceffb3fe60a1692d03d91ee5fe85b9846dab36c4508ab5bb35bd9ad3644b9b3e6de1d784eefec2
SHA1 hash:	a34bed980cad4ca8a4d399c5c587015b411b01af
MD5 hash:	fad0d800e56ef91c12ce58d2dd26666f
humanhash:	july-vermont-eleven-quebec
File name:	IMG_356537.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	966'096 bytes
First seen:	2021-09-29 13:49:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:4WuUFBKUzCedCXMv68wPXC7g6hvea4iy9Zmx93rgjU:nLFAUXdC8v68SSUevezi6mx938jU
Threatray	1'615 similar samples on MalwareBazaar
TLSH	T1C125F1422771CA25C7C42670B5F785288391DEA7F272B78F6F1E319868A23715D407EE
File icon (PE):
dhash icon	0082878eb181818e (2 x RedLineStealer, 2 x QuasarRAT, 1 x SnakeKeylogger)
Reporter	PhisherOfMan
Tags:	exe Redline RedLineStealer

PhisherOfMan

targeting crypto users

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
176.57.69.117:21596	https://threatfox.abuse.ch/ioc/227760/

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG_356537.exe

Verdict:

Malicious activity

Analysis date:

2021-09-29 01:06:45 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/29690085-5b98-425f-a787-14b7cc16052c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/193195/

Detection(s):

SecuriteInfo.com.UntrustedCertificate.iObit-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b6012bf-9516-4845-976b-44c40cf7508c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/861383

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Connects to many ports of the same IP (likely port scanning)

Detected potential unwanted application

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Potential malicious icon found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8d3689555fe2d661aae711f0452288af2b4e4cdaecc3886964b3120872ae1fbb/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-28 17:06:42 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ru3isvk74llgdkxhchyekiuiv4vu4tg25tbyq2lewmjaq4vod65q._file

Verdict:

malicious

RedLineStealer

1e31f411b06517388b7adbcc5bc918f3985d447f710aa9711926faf68d044f9a

RedLineStealer

47f7aba81ea18b4228b8df7aebb135cacd5c36c2b9f79ae1c00fdeb961626f8f

RedLineStealer

7fefb4ac689e7334f5d66e01673dda50a293bbd7bca0bf3da972f01d32f54587

RedLineStealer

89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2

RedLineStealer

902c278916c230d5e51f24146feb8f7053bdbacaaf60df5399fad2dbccb88d77

RedLineStealer

963989f4b4d6e2d7c2281992ae5d62966726e81b5070b792399c7fd2017ca5ca

RedLineStealer

a32770d46ee2ee5b91cc36e5159868ec3ff7f847e7516d7bcb952f7a94e347a2

RedLineStealer

+ 1'605 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sasasa infostealer spyware

Link:

https://tria.ge/reports/210929-q5agjafbhl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Malware Config

C2 Extraction:

176.57.69.117:21596

Unpacked files

SH256 hash:

85b8e01881f839174025b4b10610d815936316b8a42a5e5c3c7c318fe381c678

MD5 hash:

bced872af4106830987f397564d8d30e

SHA1 hash:

ede1909f230d96cd34a49b1863201cd73b744fc7

Link:

https://www.unpac.me/results/345b3e6b-a296-46ed-b0b3-267c2d7014d1/

SH256 hash:

449608d8bec4d0dc3f4a4dafc20d27aad803326ee24b5d7047e727e0607e8a9b

MD5 hash:

afa9b60eeb9c5477baafa974d95fb795

SHA1 hash:

77dfff6322e2ed55e6cfcfb236d1feeef168725b

Link:

https://www.unpac.me/results/345b3e6b-a296-46ed-b0b3-267c2d7014d1/

SH256 hash:

fddc1687551a51f6a70ff4095c641a42c20ad7b68708716f08fddd94395ebf48

MD5 hash:

b8197e481203cbc2bec132b6d8850382

SHA1 hash:

4471e859718054c1b205c4d2102893b02efc814b

Link:

https://www.unpac.me/results/345b3e6b-a296-46ed-b0b3-267c2d7014d1/

SH256 hash:

efd2f7657839b252c2fb8489c1ccf610b8e57b471efe049de86a74bc1506775d

MD5 hash:

c3f3e4a9e9ab54bf847a9fc02e7a2160

SHA1 hash:

0853bec33e36ede763927cda0f03129ca763bc07

Link:

https://www.unpac.me/results/345b3e6b-a296-46ed-b0b3-267c2d7014d1/

SH256 hash:

8d3689555fe2d661aae711f0452288af2b4e4cdaecc3886964b3120872ae1fbb

MD5 hash:

fad0d800e56ef91c12ce58d2dd26666f

SHA1 hash:

a34bed980cad4ca8a4d399c5c587015b411b01af

Link:

https://www.unpac.me/results/345b3e6b-a296-46ed-b0b3-267c2d7014d1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8d3689555fe2d661aae711f0452288af2b4e4cdaecc3886964b3120872ae1fbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://cdn.discordapp.com/attachments/875404916150116402/892087430893690951/IMG_356537.exe

Delivery method

Multiple

Cape

https://www.capesandbox.com/analysis/193195/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample