MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
SHA3-384 hash: 85bb101a5ab88daa646e80315b9c86b04cd719bb97461f9847f1d0e30e00b175e34ca476a54e75dbf7aa4ba347e7c78d
SHA1 hash: 1a37bf11e2b75384785d05780fe17fe1167bfbb1
MD5 hash: b77a1d58626a5d4a77202afbf717accb
humanhash: harry-mississippi-oscar-georgia
File name:b77a1d58626a5d4a77202afbf717accb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:24'576 bytes
First seen:2020-11-02 09:13:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 384:SlD2Km4lAa8QFrvgjdl1ev0jZy/vXhEIWVCCC9iAmhfGPmtAEXWNiH:Sp2Km4lApk7gjdl1s0jZyOIWVmiAmYQ
Threatray 155 similar samples on MalwareBazaar
TLSH 17B24C3373F58335C5AA4B3A41E9E2511270A6457002DFDBADC825A96F237C36A233D7
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81776/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.58261.22056.6753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching a process
Sending a UDP request
Creating a file
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518050
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308130 Sample: hVDdUEUTYm.exe Startdate: 02/11/2020 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected RedLine Stealer 2->39 41 Uses ping.exe to sleep 2->41 43 5 other signatures 2->43 8 hVDdUEUTYm.exe 15 3 2->8         started        process3 dnsIp4 29 n3vl.hbumin.ru 81.177.135.41, 443, 49717 RTCOMM-ASRU Russian Federation 8->29 25 C:\Users\user\AppData\...\hVDdUEUTYm.exe.log, ASCII 8->25 dropped 47 Writes to foreign memory regions 8->47 49 Allocates memory in foreign processes 8->49 51 Injects a PE file into a foreign processes 8->51 13 AddInProcess32.exe 14 23 8->13         started        file5 signatures6 process7 dnsIp8 31 api.ip.sb 13->31 33 WHOIS.RIPE.NET 193.0.6.135, 43, 49727 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 13->33 35 6 other IPs or domains 13->35 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->53 55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->55 57 Tries to harvest and steal browser information (history, passwords, etc) 13->57 17 cmd.exe 1 13->17         started        signatures9 process10 dnsIp11 27 127.0.0.1 unknown unknown 17->27 45 Uses ping.exe to sleep 17->45 21 conhost.exe 17->21         started        23 PING.EXE 1 17->23         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 08:44:20 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucqzkl4up2xkl5knulbuhwqnydxvzv54ld7cp4o36ttrthtvpijq._file
Verdict:
unknown
Similar samples:
11556dc2b13d8c9749a60986519048ff3b8bccb5484efd63d0eb07efad71ccdc
RedLineStealer
5515062c13a830721908555c82f8d1812fb6294e0c20e94d3631a9e77952e29b
RedLineStealer
5b4cbc85472de1347063a0fdacda8089e916ec37d4e079145a5d81bc3a57c0c5
RedLineStealer
9c3b3e69af0914c05b102e9c8288d1a3a7526c14721b774cd129b606b7bf224d
RedLineStealer
aa2e16cedcf7cec09f23a7737adff8068bf5fe0b8f22027ef83add526761a12a
RedLineStealer
b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04
RedLineStealer
d1ff8fc9653175919374088eade3f15aaf022129f0e3d23669717416b7161c72
RedLineStealer
d38ed95f4f670f295e3b5a2c5d694bbf3ffb28e56f99abd0ef32d5e80d20f0db
RedLineStealer
dd6dee2697bcc5d714a75c7139963f3f13a214fd508d4e67d5962e93b44b7b14
RedLineStealer
f8724be2161dfc04188b5203d9194c530a528cddbc380825258a0adb287e468a
RedLineStealer
+ 145 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201102-nc14a81ma6/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13
MD5 hash:
b77a1d58626a5d4a77202afbf717accb
SHA1 hash:
1a37bf11e2b75384785d05780fe17fe1167bfbb1
Link:
https://www.unpac.me/results/46361e5f-eb3d-4c9b-84db-9523bccb11c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a0a1952f947eaea5f54da2c343da0dc0ef5cd7bc58fe27f1dbf4e7199e757a13

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/759003/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/81776/

Comments