MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574
SHA3-384 hash:	ce54f30e0d44c1516f3dd65ca8f07ca98d2539a41e413eca5181bf6ab347a29e109c912b77b656d959c501b936c2db3e
SHA1 hash:	c68846bfb3f2a79ea7b96735a82327bdc5d84465
MD5 hash:	fa4ef0d48cb786719afec73dbe761ab0
humanhash:	queen-oklahoma-wyoming-pennsylvania
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	448'512 bytes
First seen:	2022-10-19 17:05:47 UTC
Last seen:	2022-10-19 22:35:32 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:hxb3FqXHIgx7FT05XYc/ckTsmr96dka8iPFTErSddl+r1Pp9kXc6gsVOcIgVE71R:hxb0oDA5uygIdqfsVOcIwE7aDQ
Threatray	505 similar samples on MalwareBazaar
TLSH	T1D7949DC6461809ABC97D6E7D8409C74E93CA7A680EC7CAD371032BDF4AC42DF9861677
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc32384019_646103101?hash=jQkGszaFRCcaJFr9IL8PduxTc5H4XYvBo3n3gq22kpo&dl=GMZDGOBUGAYTS:1666195033:nAxW0lNsyqcmx1Zt56AWHKfwZGIl1qlvRVYlO2ZUNRD&api=1&no_preview=1#10c1401

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-10-19 17:08:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0bc59417-f08b-453c-b392-267d454db1bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321788/

Detection(s):

SecuriteInfo.com.Trojan.PWS.StealerNET.122.10170.28128.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Creating a file in the system32 subdirectories

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63502e7efdf6478a15af9b86/reports/8b0a7da7-425f-4750-a923-244a8f8ac8d9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/169e6e8a-6b3a-4f7f-b5d4-3a2ec717129f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1093664

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-10-20 01:11:04 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uc4ct6xdzhhjttla5wrp2fubfn23hafq66w3hzlovvu6bb6c2v2a._file

Verdict:

unknown

RedLineStealer

4545f4eb2f04f075efdee44e3c2f98e31b5d3c25a258614cc6c85f8ea9cfd1e4

RedLineStealer

6b7204b9938cdc7e24b589faac4e12ed848c7121269899614b38bc95784845b9

RedLineStealer

7157ea22835284e4b38c05ac415ead575656efa2389f74dcfbb8ab910031427c

RedLineStealer

7497edc571612474fa977fb41380c3a95b2912b2cda52898dc0a404f067c9ee3

RedLineStealer

ae704a7a716d4496ce1f47ca054a79f60e9cb4d8cdb898d5fcf06a172006b833

RedLineStealer

bb06bf5d8b68991bf2545a1b560b535d35ec17f870f4b53f62c31dc3d1148408

RedLineStealer

ea22f746189bf2d6ad50b7e04bf79cc153ce431f04dd2c5437632949d7eb66d0

RedLineStealer

+ 495 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:lx1809 infostealer spyware

Link:

https://tria.ge/reports/221019-vme2hsghg4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

77.73.134.2:4427

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/33f53821-5656-4aaf-a52a-577f5bc5fb3e

Unpacked files

SH256 hash:

a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574

MD5 hash:

fa4ef0d48cb786719afec73dbe761ab0

SHA1 hash:

c68846bfb3f2a79ea7b96735a82327bdc5d84465

Link:

https://www.unpac.me/results/99249ce1-b1a7-47d3-98e1-8ea92490e4f2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/321788/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample