MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a345a58d67b17e5f35c9484ff4d6cd52061ddebb7fd8f4fd51c607698779018c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 2 YARA 4 File information Comments

SHA256 hash:	a345a58d67b17e5f35c9484ff4d6cd52061ddebb7fd8f4fd51c607698779018c
SHA3-384 hash:	d89508c0e21c0bfe9bf4fcb27a91cecb027dcf139736a2280b1835dc9397ba29c7c3d5dad09b783d78b05a7f0c0f1ac7
SHA1 hash:	eb16921dcde9582751344866be3766767521c93c
MD5 hash:	38b782477680ba7e66c9b728a2de8046
humanhash:	echo-fish-spaghetti-mike
File name:	A345A58D67B17E5F35C9484FF4D6CD52061DDEBB7FD8F.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	614'912 bytes
First seen:	2021-08-27 22:15:44 UTC
Last seen:	2021-08-27 22:47:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:1EnScj9qlZTZHq9uEXiCrbD8cA/cMqOoW:E5iZTpox4cAEMqLW
Threatray	319 similar samples on MalwareBazaar
TLSH	T123D48B0E65544A0FD6741EF1B0BB4CA803EDADCA7B3E928F2A35F2DD2B7139199412C5
dhash icon	71d0f0e0e0e4f071 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://45.67.228.93/IRemotePanel

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.67.228.93/IRemotePanel	https://threatfox.abuse.ch/ioc/201309/
45.67.228.93:80	https://threatfox.abuse.ch/ioc/201310/

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

A345A58D67B17E5F35C9484FF4D6CD52061DDEBB7FD8F.exe

Verdict:

Malicious activity

Analysis date:

2021-08-27 22:17:54 UTC

Tags:

trojan rat redline opendir

Link:

https://app.any.run/tasks/fcb7e5a0-73d9-44a0-8c06-321b504f7cf4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/182984/

Detection(s):

SecuriteInfo.com.Trojan.PWS.StealerNET.51.6134.10514.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Running batch commands

Using the Windows Management Instrumentation requests

Searching for the window

Launching a process

Connection attempt to an infection source

Launching a tool to kill processes

Sending an HTTP POST request to an infection source

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a86d320f-3b8a-478a-94b0-d9817c6b9702

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/840616

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a345a58d67b17e5f35c9484ff4d6cd52061ddebb7fd8f4fd51c607698779018c/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-07-25 15:16:52 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=unc2ldlhwf7f6nojjbh7jvwnkidb3xv3p7mpj7kryydwtb3zagga._file

Verdict:

malicious

RedLineStealer

4047099fa48723c13197f32b1b1c4ca5c450231d1bf8b693df939eb16363f4b0

RedLineStealer

55342589e3d128aa53314e613bab6608de3c0f69ed1dae8b5acf5ba694c54c7c

RedLineStealer

662198412b44e61f7f0b495b939249c6bc05ebb154407de517b422e09145b19b

RedLineStealer

7661bd5c87f1a9ad322c337f11b600dce2b6fe911656ca9fd1aeaf2197451488

RedLineStealer

8f38a8b1fc30c406eeb6877e201fb46b465954da4c356dea81b29d804c96712e

RedLineStealer

bd06bc6e04202a337a16121096b67af4e0f6b3f0a068883ebc647f19eeb6aeb7

RedLineStealer

c8c685962497719668e4755f90ec88274dc6091379b6c6c8bebff3ad3c089672

RedLineStealer

cee16f97554960178a201aad26469926cd079a4254c0f3c420b01b59589f0712

RedLineStealer

+ 309 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210827-jy7zr1gm76/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.67.228.93:80

Unpacked files

SH256 hash:

deffc0ccf548feb38b9a3fcae97f5f42a99f32c1e2f5a96c12e54852564b92d9

MD5 hash:

65962df195d6f3afff13bc0d79e46e05

SHA1 hash:

f68b89db772512f9e000a9c47d62d2e6e4a098ba

Link:

https://www.unpac.me/results/91703eff-2651-48d3-a5ed-e5a384b73073/

SH256 hash:

9f508e34ca12bb1d7c6d80d9a23182599e69631e87a0e96b4dd5c190a4d18e44

MD5 hash:

58a0374bcf5436d80409fc7aad390b09

SHA1 hash:

e38f421168fe9dce189d14d62b4e50e63447bc45

Link:

https://www.unpac.me/results/91703eff-2651-48d3-a5ed-e5a384b73073/

SH256 hash:

843762ba030a6777a6f6fd7ff88e55473e147491cf7643660b67df4395d3151d

MD5 hash:

c87c992d2e06b2e1f229177e7ec58b24

SHA1 hash:

b651b9543258c21de2052adfda27943085b1f6a2

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/91703eff-2651-48d3-a5ed-e5a384b73073/

SH256 hash:

7f2869b5f4b1b395fd1540fb2e7ba8c83688d86dedf3a0373fa017485ab44f05

MD5 hash:

270a22c83dd7ea525c02baad46b1136f

SHA1 hash:

5d40913fafbace047f9a56370459bbf0132400da

Link:

https://www.unpac.me/results/91703eff-2651-48d3-a5ed-e5a384b73073/

SH256 hash:

a345a58d67b17e5f35c9484ff4d6cd52061ddebb7fd8f4fd51c607698779018c

MD5 hash:

38b782477680ba7e66c9b728a2de8046

SHA1 hash:

eb16921dcde9582751344866be3766767521c93c

Link:

https://www.unpac.me/results/91703eff-2651-48d3-a5ed-e5a384b73073/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/a345a58d67b17e5f35c9484ff4d6cd52061ddebb7fd8f4fd51c607698779018c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182984/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample