MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
SHA3-384 hash: f29a65bd3ea9a99ba5ce6f93c26bcdbb71fbcfc56e1f2f8babcbb81d14faa3cde7694abd3ac6618c8e816aa5accfac47
SHA1 hash: 712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
MD5 hash: 72131adb0e2315281aae445db11e09a2
humanhash: eleven-kansas-juliet-cold
File name:72131adb0e2315281aae445db11e09a2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:351'232 bytes
First seen:2020-11-01 18:44:09 UTC
Last seen:2020-11-01 20:50:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 22c87ff9d53c8eae0251c1eaef3e8242 (3 x ZLoader, 2 x RedLineStealer)
ssdeep 3072:Ci8VE2ZEIO95NbjA6J85TnOg2r++sCVYueyX5I4R3CDNCRpuj62R+aBYYpQoEiqW:mKPdbdJtbCZCq4X5VduNyUjkTYyk
Threatray 406 similar samples on MalwareBazaar
TLSH 0774DF117691C433C65244313521E3B16E39BCA26D7489C77BC8EF6B6E322D1EBA634E
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://eluveitie.xyz/IRemotePanel

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81675/
Detection(s):
SecuriteInfo.com.Artemis72131ADB0E23.25037.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/517778
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65/
Threat name:
Win32.Downloader.Dofoil
Create hunting rule
Status:
Malicious
First seen:
2020-11-01 17:46:21 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2t2m3ymhxat3x6g6bozkbe5273ecbj2hacxrijacpnz64rwp5sq._file
Verdict:
suspicious
Similar samples:
07f0f8308cf0da73ba917e592bc6b746fba3078b2ac25a98760f4fc30952d869
RedLineStealer
08b695d45d297aea56ccc80bef7613eae070498512805243db8e4b887d2b2c8c
RedLineStealer
1ba87aa4f285a9e9cf905da0bc041df4eed434e6bff38aa189387dae4ba90dc5
RedLineStealer
25c6c0493d26731ba20cb44d8e580854e4807cecc2ea41dd80ed00e665acf70a
RedLineStealer
3199411c6b716321009ffc3c3ccd88b406d2f90b9504bf147647c8e3c7773578
RedLineStealer
4495c151b1e3d27d000595b41ad9e07848489e597a43a6f28c5bcbbe65c8719f
RedLineStealer
6feaf68897c8b589bd2c93a69819e02abf8d9f3e2a0cfd61eef658cedd83dd8d
RedLineStealer
70af11ae12fdc645f1845b038d01ac9ba1000905c0150553fad12400db54e8dd
RedLineStealer
7b6c0334b1cc26e87e6a071ed278dd0781634460e0de56245fc306624340fb21
RedLineStealer
94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
RedLineStealer
+ 396 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201101-p9n68f8ces/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ce28a1e20fdd8d3f576e41ab97f8c382e7fb03ca2cdc6bf3c79f95df00b04a8b
MD5 hash:
14f2752bce6aa1b070da87fe9e681896
SHA1 hash:
8575caecdd8f3e79b6f6c7d07321695f5c21ae17
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/3dec4f43-0551-4f2e-ba3c-dbcc097369e5/
SH256 hash:
d679faa43389367badab249429e9278e8bdd946c031475d79d8c9dca12fffe0d
MD5 hash:
55101c0ae3daf55ed3ea260e45742b56
SHA1 hash:
e62cb7c58883ce83007b566f0e8966ac750602ea
Link:
https://www.unpac.me/results/3dec4f43-0551-4f2e-ba3c-dbcc097369e5/
SH256 hash:
5ad780d0ee7ea62640d307fbb094d70451f3cc01f082ba9b46163c37bb9ea349
MD5 hash:
21944bf2039c76cddb62a54678c313e8
SHA1 hash:
f3760022ddd5db91c8bf4f7d0e096109e9e8f066
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/3dec4f43-0551-4f2e-ba3c-dbcc097369e5/
SH256 hash:
9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
MD5 hash:
72131adb0e2315281aae445db11e09a2
SHA1 hash:
712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
Link:
https://www.unpac.me/results/3dec4f43-0551-4f2e-ba3c-dbcc097369e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/759003/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/81675/
  
URLhaus
https://urlhaus.abuse.ch/url/759776/

Comments