MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c
SHA3-384 hash: 2f2bcf771647748bf9723e3f7c402ab85429ac52f6762e76d0e80c147dedabc3e362d5027659004070edd3bbb27d2ceb
SHA1 hash: c60a0243e7e6220daf6890015705cd5b299f4dc2
MD5 hash: 41598929a42c3f2bb561cc704ddad70e
humanhash: delta-friend-whiskey-kilo
File name:Acrobat Cracker v.6.3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'673'728 bytes
First seen:2020-11-19 06:47:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 49152:tizxRc4x8N1DiQuwAAwYPHLjvk+25LiNzqDC4xpN1D:qx8TDiJtW/LjM1AFqLxpTD
Threatray 520 similar samples on MalwareBazaar
TLSH D275E1557A304973CC28FB74904F9E710F286F7AD98C9D6A64CCB1093BFB612941E8DA
Reporter JosephCoscia
Tags:RedLineStealer


Avatar
JosephCoscia
Found at https://gofile.io/d/Df2mc6

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Launching a process
Stealing user critical data
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/542675
Signature
.NET source code contains potential unpacker
Creates files with lurking names (e.g. Crack.exe)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c/
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Suspicious
First seen:
2020-11-19 06:48:08 UTC
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sh5vphhrfqzx2moiw5j3ay2szqzuynzak2gcy3o74lobms22rmoa._file
Verdict:
unknown
Similar samples:
06c8996db7925f8eba3f2e8c64b7b80a5d7a896733c9bd479336ed0cd13d19df
RedLineStealer
23b916e5bb30f814e9819cf3499fe56820380b827b20f595022eabbd47267374
RedLineStealer
2bafe7b4f77916d7ca905d9d46453d27e090b85ba065f4892a886abdc8e51863
RedLineStealer
5f660b3ade2f06e699063a8ea77f25509dc4ea949bb8b590fefe22d94b70bbed
RedLineStealer
9ab99b021cac114dbf496c1b48e7f704799a1ca7d8b1e7e4366743f2e0ebcdfd
RedLineStealer
b8ddba51be188310218fd595f1053023789453dcc894b1a9a61d1d0494dee15d
RedLineStealer
bdda7b20a2773900ed2a046e25bbb583c906e818c355b3de59b0ff75e1f40780
RedLineStealer
e874283490ec44e6cad0729867ee2441d0eb80d76b615455babebc7f5d4ec452
RedLineStealer
f0b43b05479d8dde3603ef587da02925b703d7d5bc8332656ab9ca7f7e1554a4
RedLineStealer
f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7
RedLineStealer
+ 510 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201119-yhf9j7kt6n/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c
MD5 hash:
41598929a42c3f2bb561cc704ddad70e
SHA1 hash:
c60a0243e7e6220daf6890015705cd5b299f4dc2
Link:
https://www.unpac.me/results/89f7d604-b523-4a6e-bf76-d9d30bde4256/
SH256 hash:
c3c5d37e887c7872d8d1f6f7eba358c0eb83bc50fc137ca1b12d176d7b10ff94
MD5 hash:
2505e506a13390de08c2dd12f02fc95f
SHA1 hash:
4bb75d92bd6b204803cf96deac2fee14fc97a58f
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/89f7d604-b523-4a6e-bf76-d9d30bde4256/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/89f7d604-b523-4a6e-bf76-d9d30bde4256/
SH256 hash:
b38f1cc5f5871b60921ef40fc868d9a5fe342cf2fcad2387e213a818768f8bc0
MD5 hash:
92ac3fb98b2bc7be58d2c18a777cfeb0
SHA1 hash:
bb6e571e412884ce8864ae44c214478328599ec8
Link:
https://www.unpac.me/results/89f7d604-b523-4a6e-bf76-d9d30bde4256/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_redline_stealer_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:Detects unpacked main component of Redline Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c

(this sample)

anyrun
any.run
https://app.any.run/tasks/68e32450-7f10-4ae4-a758-1fd1920d4182
Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
  
Delivery method
Distributed via web download

Comments