MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4f985b85f0ffc8646eb0ec6bcdfeb2e6145a38f2af6f63c4e3c1059bd3867b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4f985b85f0ffc8646eb0ec6bcdfeb2e6145a38f2af6f63c4e3c1059bd3867b6
SHA3-384 hash: 4b8aa4d489534a8cb569ed805ae9d92f4e879b47dac27b7c41567af00da381722f646732d65451e0a26920467f7afd81
SHA1 hash: 7043e5f23719972d34b00bea118ed9046992dd52
MD5 hash: a590b3582216195871f005bde12c91fe
humanhash: florida-seventeen-california-kansas
File name:a590b3582216195871f005bde12c91fe.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'322'368 bytes
First seen:2022-06-07 21:00:53 UTC
Last seen:2022-06-07 21:38:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:v2plodEy+07T4JoMOgqOiDejU7UMEsaUD2mfxZPjwDiR6zZAZVZ/3ql0tWolhNZr:pCu0a30+pmS8DYt5
Threatray 2 similar samples on MalwareBazaar
TLSH T115F57D11F6888B25E0FE3236D79625451BB7D1D30B62CA49768E73A45B237436E0F32B
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
179.43.142.184:15026

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
179.43.142.184:15026 https://threatfox.abuse.ch/ioc/664195/

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a590b3582216195871f005bde12c91fe.exe
Verdict:
No threats detected
Analysis date:
2022-06-07 21:08:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2d3fbc8-54a9-4d87-bbc8-499f636668db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277505/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50298588.2465.6801.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Adding an access-denied ACE
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the process to interact with network services
Creating a file in the Windows subdirectories
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control.exe hacktool obfuscated remote.exe
Link:
https://www.filescan.io/uploads/629fbccfbea023f99d88a26b/reports/5d0ac679-6eca-4f02-8fa5-09d218e25fee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fca54008-8b40-4760-a8fd-181b2c71b1c8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1008551
Signature
Adds a directory exclusion to Windows Defender
Adds a new user with administrator rights
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 641047 Sample: f1w81BS6RU.exe Startdate: 07/06/2022 Architecture: WINDOWS Score: 100 49 192.168.2.1 unknown unknown 2->49 51 api.ip.sb 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected UAC Bypass using CMSTP 2->57 59 5 other signatures 2->59 8 f1w81BS6RU.exe 7 6 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 dnsIp5 45 C:\Windows\Cursors\...\svchost.exe, PE32 8->45 dropped 61 Creates autostart registry keys with suspicious names 8->61 63 Creates an autostart registry key pointing to binary in C:\Windows 8->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 8->65 75 2 other signatures 8->75 19 net.exe 1 8->19         started        21 net.exe 1 8->21         started        23 net.exe 8->23         started        25 11 other processes 8->25 67 Multi AV Scanner detection for dropped file 12->67 69 Drops executables to the windows directory (C:\Windows) and starts them 12->69 71 Adds a directory exclusion to Windows Defender 12->71 73 Changes security center settings (notifications, updates, antivirus, firewall) 14->73 47 127.0.0.1 unknown unknown 16->47 file6 signatures7 process8 process9 27 conhost.exe 19->27         started        29 net1.exe 1 19->29         started        31 conhost.exe 21->31         started        33 net1.exe 1 21->33         started        35 conhost.exe 23->35         started        37 net1.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 25->41         started        43 8 other processes 25->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4f985b85f0ffc8646eb0ec6bcdfeb2e6145a38f2af6f63c4e3c1059bd3867b6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 17:00:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ut4yloc7b76imrxlb3dlzx7lfzquli4pfl3pmpcohqiftpjym63a._file
Verdict:
malicious
Similar samples:
c5250a2105130cd7a1b83c5c5bb165e6f9bbb64ea5e7cf42a8cd2e13e3437c09
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:freezetest discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/220607-ztvsrsgagr/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Windows security modification
Grants admin privileges
RedLine
RedLine Payload
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
179.43.142.184:15026
Unpacked files
SH256 hash:
5d4e800aa705b43e184972f4880ca8efa108bcf00d555dbbb2c0a834f77b6c2f
MD5 hash:
01fd9bfc49599675a8f1205eb9f3d86d
SHA1 hash:
250bec2d56b2ed5093844d5998f87ace08051248
Link:
https://www.unpac.me/results/f94fca0a-e687-4d3d-bbde-768fd5d77c1a/
SH256 hash:
71951c207f63b070f0ee101360f06b889f048ec2e888f6640a1d349561f1c3bb
MD5 hash:
2b65a2a5bf2bb6dece2224f50e837270
SHA1 hash:
0c6bf56c0d424b274aeafa10741f92f1c440a263
Link:
https://www.unpac.me/results/f94fca0a-e687-4d3d-bbde-768fd5d77c1a/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/f94fca0a-e687-4d3d-bbde-768fd5d77c1a/
SH256 hash:
a4f985b85f0ffc8646eb0ec6bcdfeb2e6145a38f2af6f63c4e3c1059bd3867b6
MD5 hash:
a590b3582216195871f005bde12c91fe
SHA1 hash:
7043e5f23719972d34b00bea118ed9046992dd52
Link:
https://www.unpac.me/results/f94fca0a-e687-4d3d-bbde-768fd5d77c1a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a4f985b85f0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/a4f985b85f0ffc8646eb0ec6bcdfeb2e6145a38f2af6f63c4e3c1059bd3867b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277505/

Comments