MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
SHA3-384 hash: 55aa097f23d344bea1022d2bed0fab910a4f4b28dd6d5d5f1d66745fac4dada617b3e8fab6b8cc21744d45425920cc69
SHA1 hash: abb680ef5e005da1610828d518c15a250b001fd9
MD5 hash: 6943b3380427465a7998ddf3a96945a0
humanhash: robert-nineteen-freddie-robert
File name:6943b3380427465a7998ddf3a96945a0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:351'232 bytes
First seen:2020-11-01 06:47:03 UTC
Last seen:2020-11-01 08:48:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f5981550618c27c9f704c75b2ce8d3a0 (7 x Tofsee, 1 x RedLineStealer, 1 x CoinMiner)
ssdeep 3072:wSnhY4Ovq3x665VLwTKKZIfUtv6pqyRR+Bg4YYWoYJpcWVZvCZAg0DIalmr9wniV:mvCxy91huqyRrHYWZkn8Ia69cW
Threatray 121 similar samples on MalwareBazaar
TLSH 6E74D0007590C532C252453D4821E2BC563ABC696B348A677BD4EF6F3E321D3EBA635E
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81577/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44289770.32207.22682.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Launching a process
Creating a file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/517585
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 307896 Sample: hThhnxzPVe.exe Startdate: 01/11/2020 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected RedLine Stealer 2->44 46 May check the online IP address of the machine 2->46 48 2 other signatures 2->48 6 hThhnxzPVe.exe 15 23 2->6         started        process3 dnsIp4 36 api.ip.sb 6->36 38 WHOIS.RIPE.NET 193.0.6.135, 43, 49719 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 6->38 40 7 other IPs or domains 6->40 20 C:\Users\user\AppData\...\hThhnxzPVe.exe.log, ASCII 6->20 dropped 50 Detected unpacking (changes PE section rights) 6->50 52 Detected unpacking (overwrites its own PE header) 6->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->54 56 2 other signatures 6->56 11 WerFault.exe 9 6->11         started        14 WerFault.exe 9 6->14         started        16 WerFault.exe 9 6->16         started        18 10 other processes 6->18 file5 signatures6 process7 file8 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->32 dropped 34 7 other malicious files 18->34 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-10-31 18:36:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
134e51b800db1c1a5696a4624bc1693fab9019e81ea0a43af7067e00f6cd5b67
RedLineStealer
19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef
RedLineStealer
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
RedLineStealer
5b4cbc85472de1347063a0fdacda8089e916ec37d4e079145a5d81bc3a57c0c5
RedLineStealer
6b821b358a92094bf1218d5a455e7205efeda83a4b4247d010a86b77e284ee75
RedLineStealer
a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3
RedLineStealer
b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04
RedLineStealer
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
RedLineStealer
e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
RedLineStealer
e956a58b3dfb4b71d0fddad3a02ffd5cc0c3413684b59e2f9f14fd3626250f1d
RedLineStealer
+ 111 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201101-vzeq2ppywa/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
MD5 hash:
6943b3380427465a7998ddf3a96945a0
SHA1 hash:
abb680ef5e005da1610828d518c15a250b001fd9
Link:
https://www.unpac.me/results/7f45bfca-580a-4543-a19a-29df72269d92/
SH256 hash:
56d829661441aa53cbb6afe5e3a642876636eacde4931093dc9d8675a0f8444a
MD5 hash:
2107cb2760a8df747020af3f438f56b2
SHA1 hash:
04cb76313c1c027ec9198bded7d59687eeacfc9d
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/7f45bfca-580a-4543-a19a-29df72269d92/
SH256 hash:
aef70833d39d120beac404decab4002b26e5ff54f738dea8ee0764a7a80c266d
MD5 hash:
9b8a2ef674759e99fa6fa35d81436347
SHA1 hash:
a25479898d23b190eb5ddb175d76800846c885f3
Link:
https://www.unpac.me/results/7f45bfca-580a-4543-a19a-29df72269d92/
SH256 hash:
a9ef9771a0f68762a948e1cf9c766cd5ee2e55be02cdc0b988e10a01d444f47e
MD5 hash:
ed5cdfe8dac936557bd02bb5447d34cd
SHA1 hash:
b7829adb54f1a0ff9f952558c72e606c0fff26d9
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/7f45bfca-580a-4543-a19a-29df72269d92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/759003/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/81577/

Comments