MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a
SHA3-384 hash: ea21a985ef013700eb5e83de47a4ff94ff40c6159fb584fa9baf0f731785d41e29e686d4f3fb6687fce46fa9adbceacf
SHA1 hash: 07e9cc5c22b98c52e3f68fb30c153fb821b0c249
MD5 hash: b076d449c2fa8d8f1d8b8b07254df976
humanhash: oscar-xray-arizona-fix
File name:SecuriteInfo.com.Downloader-FBZCB076D449C2FA.5160
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:18'944 bytes
First seen:2020-12-07 16:51:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 384:3bDmj5FQno1JNkffPk6RVq7qf9cjjUYRPY1PI92w:3uyo36tR47nPUY9Y18
Threatray 242 similar samples on MalwareBazaar
TLSH 09821826B3D4573DFAF647B486BC01409572F2525913EBBEF8C8809B4B636560B523E3
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://hellousa.info/filestoload/cli/remeus.exe
Verdict:
Malicious activity
Analysis date:
2020-12-07 14:04:39 UTC
Tags:
rat redline trojan evasion
Link:
https://app.any.run/tasks/afcb3758-77a3-451a-9fc3-5110b7aaf884

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107061/
Detection(s):
SecuriteInfo.com.Downloader-FBZCB076D449C2FA.5160.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching a process
Sending a UDP request
Creating a file
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/557098
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Suspicious
First seen:
2020-12-07 16:15:47 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ryta5n3oe52iipuopg73llpppkpla3x3falbzeibuefmzndvuvfa._file
Verdict:
unknown
Similar samples:
20b8b1c1b7aa1a707819434f2ce27db4d8d2b613da99b491f94ad44db1d241e0
RedLineStealer
2224e77a950a10ddf527d06e3083641ef929afcf2eb7d195f749f404a511f4c2
RedLineStealer
2d5d3ed366994f5e1fc9ca69d7a5bafb242ee071c1ad021b6d255f2f09b0e269
RedLineStealer
2dc5c0066540aaeb6212c84a4c8e9e8655f943da800b35486587e9b1a4458b08
RedLineStealer
50c00ba4f97272838fbad92ea5f192ca154da696fb0691b1b730c025c930776f
RedLineStealer
796e01b82d47f19cfa0337ae70e8338b1afc999ebe42ce7ee3faf1e15218bcda
RedLineStealer
9c3b3e69af0914c05b102e9c8288d1a3a7526c14721b774cd129b606b7bf224d
RedLineStealer
a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
RedLineStealer
d740674533d5c0fb220dceec7eb0d440a1f01231a728030b355361b9f0aeff77
RedLineStealer
dc9fe75ae9a4b294880a7e28d39f15eeca4eee9996c9b4be425ffd0f9060f2ee
RedLineStealer
+ 232 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201207-tnrzmljjqx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a
MD5 hash:
b076d449c2fa8d8f1d8b8b07254df976
SHA1 hash:
07e9cc5c22b98c52e3f68fb30c153fb821b0c249
Link:
https://www.unpac.me/results/2365d7ee-b8b0-4978-a57c-f0e0f4b83bd7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/896394/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/896517/
Cape
Cape
https://www.capesandbox.com/analysis/107061/

Comments