MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f7d8a0885eafdb35c4e33f23733e53df213e4618e3c403536978a26a9ed93ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f7d8a0885eafdb35c4e33f23733e53df213e4618e3c403536978a26a9ed93ce
SHA3-384 hash: 4e197754abe70d917ac07bf3c7d86457c1f7380445b20589b5a4dcd22529527a785da4c65af1578372cbd40d1613445c
SHA1 hash: 91652d16851c6bae74b90a8cb312760a24786ed2
MD5 hash: 8c90ab4abca051e12e9cc200dd7dbecc
humanhash: fruit-avocado-oklahoma-berlin
File name:8C90AB4ABCA051E12E9CC200DD7DBECC.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:39'112 bytes
First seen:2021-04-21 06:01:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:j+T14z1dCVfp4GFTTtax14WtXzqfXLSqppnkrtLNeMeoBA3zF4DSgEy9O2TlBWIc:KT1qdCFvYqb3p90JLszTTy9k4hk
Threatray 32 similar samples on MalwareBazaar
TLSH 0503F55A51A1B019E9A74D722D62FD743B38A7316845E20EE422410CDF82BFE74DCDEE
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
51.254.187.177:3705

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
51.254.187.177:3705 https://threatfox.abuse.ch/ioc/9343/

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/141777/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Creating a file
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Deleting a recently created file
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/690424
Signature
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 394154 Sample: dlWwfCMS3x.exe Startdate: 21/04/2021 Architecture: WINDOWS Score: 100 88 Found malware configuration 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected RedLine Stealer 2->92 94 3 other signatures 2->94 10 dlWwfCMS3x.exe 15 4 2->10         started        process3 dnsIp4 74 mmwrlridbhmibnr.ml 172.67.220.147, 49702, 80 CLOUDFLARENETUS United States 10->74 54 C:\Users\user\AppData\...\dlWwfCMS3x.exe.log, ASCII 10->54 dropped 14 dlWwfCMS3x.exe 5 10->14         started        file5 process6 dnsIp7 84 u10814761ft.ha004.t.justns.ru 185.22.155.63, 49712, 80 ASBAXETRU Russian Federation 14->84 64 C:\Users\user\AppData\Local\Temp\app.exe, PE32 14->64 dropped 66 C:\Users\user\AppData\Local\Temp\file.exe, PE32 14->66 dropped 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->86 19 file.exe 23 14->19         started        22 app.exe 14 4 14->22         started        file8 signatures9 process10 dnsIp11 46 C:\Users\user\...\FactoryProtectionTool.exe, PE32 19->46 dropped 48 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32+ 19->48 dropped 50 C:\Users\user\AppData\...\php_sodium.dll, PE32+ 19->50 dropped 52 9 other files (none is malicious) 19->52 dropped 26 FactoryProtectionTool.exe 6 42 19->26         started        68 104.21.86.143, 49716, 80 CLOUDFLARENETUS United States 22->68 70 192.168.2.1 unknown unknown 22->70 72 mmwrlridbhmibnr.ml 22->72 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->108 31 app.exe 22->31         started        33 app.exe 22->33         started        file12 signatures13 process14 dnsIp15 76 start.mil.ug 91.208.127.63, 21, 49729, 49730 AVTOSOYUZ-PLUS-ASRU Ukraine 26->76 78 iplogger.org 88.99.66.31, 443, 49726, 49727 HETZNER-ASDE Germany 26->78 56 C:\ProgramData\Data\Database.exe, PE32+ 26->56 dropped 58 C:\Users\user\AppData\Local\...\7zxa[1].dll, PE32 26->58 dropped 60 C:\ProgramData\Data\ssleay32.dll, PE32 26->60 dropped 62 7 other files (none is malicious) 26->62 dropped 110 May check the online IP address of the machine 26->110 35 Database.exe 26->35         started        38 Database.exe 26->38         started        40 cmd.exe 26->40         started        80 51.254.187.177, 3705, 49720, 49722 OVHFR France 31->80 82 api.ip.sb 31->82 112 Tries to harvest and steal browser information (history, passwords, etc) 31->112 114 Tries to steal Crypto Currency Wallets 31->114 file16 signatures17 process18 signatures19 96 Multi AV Scanner detection for dropped file 35->96 98 Query firmware table information (likely to detect VMs) 35->98 100 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->100 102 Hides threads from debuggers 38->102 104 Tries to detect sandboxes / dynamic malware analysis system (registry check) 38->104 42 conhost.exe 40->42         started        44 taskkill.exe 40->44         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f7d8a0885eafdb35c4e33f23733e53df213e4618e3c403536978a26a9ed93ce/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-17 23:29:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r56yucef5l63gxcogpzdom7fhxzbhzdbry6eanjws6fcnkpnspha._file
Verdict:
malicious
Similar samples:
1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf
RedLineStealer
2aab7a13f9d2f77601b7a8228b976e02fe1960b1eaf6669f12e646e10ced6ca3
RedLineStealer
3f11a6c481b433ce5fa625ae1c43558335c9d281d203f3d5a0653bd2d6053940
RedLineStealer
5073e1fa4493b7eda098621c9cc31bdcd36420e277aa9cdda5117def65c88ee9
RedLineStealer
599393e258d8ba7b8f8633e20c651868258827d3a43a4d0712125bc487eabf92
RedLineStealer
60ab8f94c2c07255e65790079803f15fa351f94363102883a14bae63d696c2ff
RedLineStealer
7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e
RedLineStealer
ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28
RedLineStealer
b0fbbee768b77e2fe719f38622b54a01efd763255048374ab0340d56a430325f
RedLineStealer
d4e27b8e7e1fd965522468bdc3eaf06513dd3a3e7402d9b441ab002dfc892adc
RedLineStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@sultontheslayer discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210421-7yax64v8vx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
51.254.187.177:3705
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8f7d8a0885eafdb35c4e33f23733e53df213e4618e3c403536978a26a9ed93ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/141777/

Comments