MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa30299c8266809acb727ef5ec89a80f0cdbcc848550607743f256438f00e398. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	aa30299c8266809acb727ef5ec89a80f0cdbcc848550607743f256438f00e398
SHA3-384 hash:	838701fb12309fa6ff4b7bebf3907438de5566853aceff9df537922a239121e8e42ccec639538c1391395ce9b5a054dd
SHA1 hash:	2842a8a055496756c006f3bbcbd044e2e0cf23be
MD5 hash:	0c61122a8e17de2620034532bd86dbee
humanhash:	speaker-virginia-high-friend
File name:	0c61122a8e17de2620034532bd86dbee.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	20'992 bytes
First seen:	2020-07-01 16:53:04 UTC
Last seen:	2020-08-01 19:30:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	384:vW+eiWvXY2hiEax3G0dC/Ohh/Fyp/+wTnZEByH:vW+XYIuiEaBj8ehdyp/+UnCi
Threatray	86 similar samples on MalwareBazaar
TLSH	3B921864B3D48337C8AA87F486B982898BB1F16B5D06EA7E08C55197CA137C14F137A7
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://178.159.43.68/IRemotePanel

Intelligence

File Origin

# of uploads :

2

# of downloads :

91

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Spider.1.22836.7592.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa30299c8266809acb727ef5ec89a80f0cdbcc848550607743f256438f00e398/

Threat name:

ByteCode-MSIL.Trojan.TrickBot

Status:

Malicious

First seen:

2020-06-30 20:07:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

1

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=viycthecm2ajvs3sp326zcnib4gnxteeqviga52d6jlehdya4oma._file

Verdict:

suspicious

Similar samples:

1681aa9c53703a91a8feb2296051bffc02763c1663e8e50113d51c4b7cb37378

262e75b938cc8b65820cf4015f33ab3db363eb7a968c23bdd48e7a680d97a9f7

3a433d9d40efde586b6da1409014e23c3c08a668f3148682524406f852e239af

5c164b47abfcecfc8f75d220cffbe8a9de97cf956154783aae6d885c180c1e8d

62824d9a353a539053724252d3710008e5894f3580fec8449ec38b7828e7b389

a7116dc8a8296b97287b628c8cc8cc5fd834557d6d0fc29d5944fd1e4a30b8a3

a75040c1f0f11bf9629774525960c9cf35153727e1191057b575fb3c1ed0700a

aa4ea575f062475547ce69415145acded3eda98cff4e8e2b532b1f3201b1b0bf

bfb194c2020359da5169cc6eb2664551e61ccbe7c67af375c7c7c5c8f2b84bc9

d51861bee7da084197de80b44da801303efb75d19d27bad917eac7dd6036cb71

+ 76 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

evasion spyware trojan discovery infostealer family:redline

Link:

https://tria.ge/reports/200701-29zxm5crss/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks whether UAC is enabled

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of SetThreadContext

Modifies system certificate store

Checks for installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

RedLine

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe aa30299c8266809acb727ef5ec89a80f0cdbcc848550607743f256438f00e398

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/406819/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/17719/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample