MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e7fc18a5e344a7f398d03f8b4e2cf0f2579e4d70c90915376e066cec01505a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 7 File information Comments 1

SHA256 hash:	a5e7fc18a5e344a7f398d03f8b4e2cf0f2579e4d70c90915376e066cec01505a
SHA3-384 hash:	7e0aa2cc61088fe977797a901ca66f929810af2362f71a669e25c73fc4decef8ffd6a2bdcdbc88c5c50d742ec1c08672
SHA1 hash:	777b5b6df582a167eff97967cec1aa5b5b43a5be
MD5 hash:	15fe59c75495ac9603896da00ee129da
humanhash:	alaska-nitrogen-stairway-steak
File name:	15fe59c75495ac9603896da00ee129da
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	264'704 bytes
First seen:	2021-09-02 12:41:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	3072:EXY77r7OMkv5i0LpsXpQCTCKZnlvU0CyVWkeX7HcJZB33sHjH+7gDseI/KQ73WmE:EI/OMfQ3KFlvU0/MkeX78JbjxX
Threatray	72 similar samples on MalwareBazaar
TLSH	T1CA442A4427E84B5BF2FF5BBAE4712219C3B0B426AB3ACB8E5C4550EE5C2374489507B7
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

15fe59c75495ac9603896da00ee129da

Verdict:

Suspicious activity

Analysis date:

2021-09-02 12:47:50 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/a8df75a2-410a-4cc6-9630-ad1ee4ac0b25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PredatorTheThief

Link:

https://www.capesandbox.com/analysis/184748/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop9.43392.10056.3667.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Deleting a recently created file

Reading critical registry keys

DNS request

Connection attempt

Sending a custom TCP request

Sending a UDP request

Creating a window

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Stealing user critical data

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/29675e59-6ec5-4681-9156-a5c5ca7c4f39

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843980

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to capture screen (.Net source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a5e7fc18a5e344a7f398d03f8b4e2cf0f2579e4d70c90915376e066cec01505a/

Threat name:

ByteCode-MSIL.Trojan.Revenge

Status:

Malicious

First seen:

2021-08-31 06:24:03 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Verdict:

unknown

RedLineStealer

3d2bd69871c0a443d1e4c2a5ec37833dbcbce929aba368745f10d7b981a5264c

RedLineStealer

40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f

RedLineStealer

417d90bf7d85a12dd9b199f97a0f7315532a71e0c09c124d50258dda532e0b20

RedLineStealer

5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487

RedLineStealer

989f403c14fe2ab86cb51cb4232ed7a3fc8f623ad8025e674acfa3bf45a0d917

RedLineStealer

b97c0637f9e4666bc0c4875a83f3224b241056be6fd34b32c52911bcf5841195

RedLineStealer

be163731cfe152309f2f36332968aa275edef44ede0544d9fa37d26ce530cb77

RedLineStealer

cd80318bc4c724934435231e72cbf7cbf5942df8b36e480603237e2ed08d4a93

RedLineStealer

d684eb2255665b6953a3ce3f23721d4130987ffa61ad69482fd706392ab9bf3e

RedLineStealer

+ 62 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/210902-xbcsx6vqyx/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Reads user/profile data of web browsers

Executes dropped EXE

Unpacked files

SH256 hash:

eca93bbc2f378c5b153de012582dc6f46cd626aa6cdadb0d7174f7254fa4237f

MD5 hash:

6a7d2ff82214b75d0585cdd7e8a4554f

SHA1 hash:

750684e51c054c1c548ccad23b6b2526236acd5e

Link:

https://www.unpac.me/results/27a93d7b-881a-48b4-bbae-d7dbaec80377/

SH256 hash:

a5e7fc18a5e344a7f398d03f8b4e2cf0f2579e4d70c90915376e066cec01505a

MD5 hash:

15fe59c75495ac9603896da00ee129da

SHA1 hash:

777b5b6df582a167eff97967cec1aa5b5b43a5be

Link:

https://www.unpac.me/results/27a93d7b-881a-48b4-bbae-d7dbaec80377/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/a5e7fc18a5e344a7f398d03f8b4e2cf0f2579e4d70c90915376e066cec01505a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe a5e7fc18a5e344a7f398d03f8b4e2cf0f2579e4d70c90915376e066cec01505a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1586060/

Cape

https://www.capesandbox.com/analysis/184748/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-09-02 12:41:28 UTC

url : hxxp://swretjhwrtj.gq/isnlod.exe