MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab84aed43b30ced6e514cd2a1191307294bd4f3211813c5de99aa0ebbfedd215. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab84aed43b30ced6e514cd2a1191307294bd4f3211813c5de99aa0ebbfedd215
SHA3-384 hash: de9a937d388090233146906f65c346e4bf082d3634fb251a716b23cbc58f1118d13524fb2a94c20505d384687d1abd04
SHA1 hash: b534275282155c86ee1aad2ff632de46783f8e30
MD5 hash: 7bc09b96533398f970efe4c87eb72939
humanhash: fish-steak-orange-pasta
File name:7bc09b96533398f970efe4c87eb72939.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:19'456 bytes
First seen:2020-12-13 08:04:58 UTC
Last seen:2020-12-13 09:53:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 192:y/eISzjq6nL7wUXp4nLt24nLFe1H9nLek4nL9bg4nLzYXpj9nLEw4nL2InLU0b1I:h9Xv0pHKvjVPMGf92mz0i2gbVm8KY2x
TLSH 31922A22B3D6933AD5EE0BB046B946009533F5869622D73FECC4418E8B53BD90B563E7
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
540
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7bc09b96533398f970efe4c87eb72939.exe
Verdict:
Malicious activity
Analysis date:
2020-12-13 08:07:34 UTC
Tags:
rat redline trojan evasion
Link:
https://app.any.run/tasks/4bf0b03e-1856-4eb7-a9f3-4740958042b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107843/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.60676.18277.25994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/561314
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab84aed43b30ced6e514cd2a1191307294bd4f3211813c5de99aa0ebbfedd215/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-12-13 08:05:06 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201213-t2xnleyv36/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
ab84aed43b30ced6e514cd2a1191307294bd4f3211813c5de99aa0ebbfedd215
MD5 hash:
7bc09b96533398f970efe4c87eb72939
SHA1 hash:
b534275282155c86ee1aad2ff632de46783f8e30
Link:
https://www.unpac.me/results/082dd731-41db-40c6-bb03-4d5b156fb9d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ab84aed43b30ced6e514cd2a1191307294bd4f3211813c5de99aa0ebbfedd215

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ab84aed43b30ced6e514cd2a1191307294bd4f3211813c5de99aa0ebbfedd215

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/896394/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107843/

Comments