MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c3b3e69af0914c05b102e9c8288d1a3a7526c14721b774cd129b606b7bf224d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c3b3e69af0914c05b102e9c8288d1a3a7526c14721b774cd129b606b7bf224d
SHA3-384 hash: 1a7e9b7436a42c3fb5e8a135f94faee31c97f46a46c6bc6252e7f7e6f97d8426ae85b012e2b3c4ae7fa9dfe3d2c413b0
SHA1 hash: 4ba3d0b491aa7659b6d880b7bbb7c38a1083f117
MD5 hash: c2e2fc64404910a478067ba455159e13
humanhash: mango-maine-three-dakota
File name:c2e2fc64404910a478067ba455159e13.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:25'088 bytes
First seen:2020-10-28 15:30:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 384:Y/NALOj4jovYxnPe0j0qjyjO7Gq0V6JsxsOiGUs8q9f1R2GtbNi5:YlALOj4j0YRec0qjyf2OiGUaz2im
TLSH 55B24A21B7E84736C56E0F3F55F6C3401271E2857402DBDF9D9820A56EB3B86A5227E3
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://138.124.180.19:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/80541/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Launching a process
Creating a file
Connecting to a non-recommended domain
Connection attempt
Sending a TCP request to an infection source
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/515290
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c3b3e69af0914c05b102e9c8288d1a3a7526c14721b774cd129b606b7bf224d/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-28 15:32:04 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tq5t42npbekmawyqf2oifcgruotve3auoinxotgrfg3ann57ejgq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201028-bkl5hzay6j/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9c3b3e69af0914c05b102e9c8288d1a3a7526c14721b774cd129b606b7bf224d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/80541/
  
URLhaus
https://urlhaus.abuse.ch/url/759003/
  
Delivery method
Distributed via web download

Comments