MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95129ce014d0264688c32aaddf7707ec591f6be1335f5cd67b44e9983b61da9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95129ce014d0264688c32aaddf7707ec591f6be1335f5cd67b44e9983b61da9b
SHA3-384 hash: 6ecd10fb11347bd291f201bace7aa8da387852152f994a5288ccd713b8038be829f900bad0f13c71dadcb17309a40e45
SHA1 hash: e3bdb12270794012fd7fbb79637fc43119751f40
MD5 hash: 034c7d8fabacc35fd6312cf438124340
humanhash: hotel-mobile-colorado-golf
File name:034c7d8fabacc35fd6312cf438124340.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'028'608 bytes
First seen:2020-07-10 07:06:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:okv+Axi7/kyeScoGdP4rDzZJ6x2WZTG7mAswKdmbXXXXX3DXXXXXX3XYXXXXXXXN:os+/Z8SZJEVpTw
Threatray 19 similar samples on MalwareBazaar
TLSH 6B258DC02BCF4635DDD146726C7B9D12063E6443532A83AB27682F7A9E7E610EB53327
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://195.2.92.68:81/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24247/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95129ce014d0264688c32aaddf7707ec591f6be1335f5cd67b44e9983b61da9b/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 01:12:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sujjzyau2atencgdfkw565yh5rmr627bgnpvzvt3ituzqo3b3knq._file
Verdict:
malicious
Similar samples:
14fe0fa7e16253e53ce4c25616e08006ad09330bea8df9161a47b2815cd83067
RedLineStealer
2cba7569fc0d1b991734fdc617a03fe425edeff12546d81702254404b0bf33ab
RedLineStealer
38ee6bea62658ae4fa75914261a5848a8db5b332ddfb52daf01e958871559e15
RedLineStealer
5969cc370c2929ff7126536d7305f923a2ed66427932ede1b6ef21a7918c9b53
RedLineStealer
62d2e3131e68b84b46765a9faa25e2173fa546fd875b99fac3422e7e02a84738
RedLineStealer
e5093e304a50d34cdf67ee8e49713c6131d6740e664ea49d9c98682336e3141a
RedLineStealer
e97c8416fc63162b69167c2b4f51f82ae6aacc8e4276b76ca5b775ba2ec437ea
RedLineStealer
e987d7cfccfc0718988a08971314cc56c07be7ff1985dd64d70165c7850b4b66
RedLineStealer
eb9a70ac0d1f7c413f10f5308bda81e1da5a9b5bfd2ab7c8d89232eada71c143
RedLineStealer
fa377574c99698cd65d8897d93e96c287dff271d4838107aeac36e7a843c1053
RedLineStealer
+ 9 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
spyware infostealer family:redline evasion trojan discovery
Link:
https://tria.ge/reports/200710-81am8x5t92/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Checks whether UAC is enabled
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Modifies system certificate store
Checks for installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
Loads dropped DLL
RedLine
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 95129ce014d0264688c32aaddf7707ec591f6be1335f5cd67b44e9983b61da9b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/24247/
  
URLhaus
https://urlhaus.abuse.ch/url/408186/
  
Delivery method
Distributed via web download

Comments