MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8c01f337163dc0e0bccb3a85bd0bdca149a199e2d879771e05037ed00c8e967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	a8c01f337163dc0e0bccb3a85bd0bdca149a199e2d879771e05037ed00c8e967
SHA3-384 hash:	ab72e57105b16c1cd2862f5070faee75b3d9bf8074c311b4408e8e5e394a84ceb67b76e6974aa5d79aab7836cd1da26a
SHA1 hash:	02d43ae8b5fa933f34ff3e0686a93fa207d41056
MD5 hash:	43dba0e8a383863fc63b8a70d87bfba6
humanhash:	mars-cardinal-finch-connecticut
File name:	DOCU_SIGN992020299393948883.PDF.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	823'808 bytes
First seen:	2021-08-12 13:50:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:WiG/HK7zc2w67doBnvGuCVg+4JVkjzCcDRCQx2gLFEU6LyD9SiyyjK:34b656euChyV+CcRj0EFERGd8
Threatray	1'141 similar samples on MalwareBazaar
TLSH	T16E05C0423284DD9AE4573AF2089FD46012F9BD8F8621C60E3F877E2B59E7702246775E
dhash icon	f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DOCU_SIGN992020299393948883.PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-08-12 00:03:55 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/99f679cd-7de5-4a6c-b3d6-7cc1ec2fb031

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/178750/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.993-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP POST request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3028fc1f-f8a3-4e93-8776-9f9697c2f174

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/831857

Signature

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Uses known network protocols on non-standard ports

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8c01f337163dc0e0bccb3a85bd0bdca149a199e2d879771e05037ed00c8e967/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-11 22:37:59 UTC

AV detection:

12 of 28 (42.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vdab6m3rmpoa4c6mwoufxuf5zikjugm6fwdzo4paka362agi5ftq._file

Verdict:

malicious

RedLineStealer

1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

RedLineStealer

2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf

RedLineStealer

5633314db4cd680796bc5071bd9a8d0ded1c43e4d4178c431fe5882646816b89

RedLineStealer

57c362ce666df098b6f501828fad20d1b4ff36398634ca4153de9dc43ff1fb9c

RedLineStealer

5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d

RedLineStealer

80752bd3e74c165e9c88fee2b806b67641f6cdae222d4ef9f5bc433f8501e767

RedLineStealer

8cbafd04f32cc48843fcac1913ae731b04e990a44d789a74b0ef50785874d5aa

RedLineStealer

9dc934f7f22e493a1c1d97107edc85ccce4e1be155b2cc038be8d9a57b2e430f

RedLineStealer

c415d4f2eccd8fbbcaacfb5afb4bf208115bf2ec5acb97bd436779f21d39a0e1

RedLineStealer

+ 1'131 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:anything discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210812-3w4hm6y5hj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

elired957.duckdns.org:15808

Unpacked files

SH256 hash:

ddd023faf544a1af70f55414243d3fe9388ba2e1508a35391b550de90fb1b22e

MD5 hash:

8e1988a5f565b3ab68283f139cafd6f2

SHA1 hash:

fe354d509331078c2f65606d143adf924658afad

Link:

https://www.unpac.me/results/120258d1-9ba3-42aa-81b1-122ca4ee329b/

SH256 hash:

9b26d3e8da9fe0f9acbba31a0724934bf530a003d5609df4e76f0994d3662a24

MD5 hash:

24908988484b5c119e96d6bdc8e8ac5d

SHA1 hash:

5f38054d0584b63babee6dab96394f9a07b684b2

Link:

https://www.unpac.me/results/120258d1-9ba3-42aa-81b1-122ca4ee329b/

SH256 hash:

ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc

MD5 hash:

6057ce35bd926dd6d49dedfa9cc18372

SHA1 hash:

1f4e44e1740ffbd91129ac3a37d22845bc52c158

Link:

https://www.unpac.me/results/120258d1-9ba3-42aa-81b1-122ca4ee329b/

SH256 hash:

a8c01f337163dc0e0bccb3a85bd0bdca149a199e2d879771e05037ed00c8e967

MD5 hash:

43dba0e8a383863fc63b8a70d87bfba6

SHA1 hash:

02d43ae8b5fa933f34ff3e0686a93fa207d41056

Link:

https://www.unpac.me/results/120258d1-9ba3-42aa-81b1-122ca4ee329b/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a8c01f337163/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/a8c01f337163dc0e0bccb3a85bd0bdca149a199e2d879771e05037ed00c8e967

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/178750/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample