MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad597a0fd61b58ce729ade161c683bc6bc97774219df430489a95b92126f1427. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad597a0fd61b58ce729ade161c683bc6bc97774219df430489a95b92126f1427
SHA3-384 hash: 1506aabcaf8114755cdc10fbac616d3029cb9df0b0964c84f63ec95052c0db455e560adac49c9f5a9c521855a5b87a40
SHA1 hash: c16b998341915e97cf9ee19463bb26bf3f9e15a8
MD5 hash: 56a8be43077b33e30a186b02a78dbeec
humanhash: ten-oven-november-oregon
File name:RFQ #060622- AL NASR ENGINEERING LLC.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'085'376 bytes
First seen:2022-06-07 06:15:23 UTC
Last seen:2022-06-07 20:26:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:2fgRs+SbWJyQyGGvhApyElZlbPMrh+K2Q5fq+z5fq+sOT75fq+W5fq+tJX5fq+za:OgObO/XPMrh+K28rOEIZJVXG
Threatray 2'128 similar samples on MalwareBazaar
TLSH T11FA59E0173E0D60BCA77733558B5F634527679A6BA01E758B17CB9DB3A323408E227E2
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ #060622- AL NASR ENGINEERING LLC.exe
Verdict:
Suspicious activity
Analysis date:
2022-06-07 22:31:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f1a70189-7225-4f6b-98fd-50baa732cd85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277209/
Detection(s):
SecuriteInfo.com.Variant.Barys.305319.28693.13157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys control.exe obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/629eed60a2b1fc9744d34b61/reports/b062d846-a0e7-4df1-97ca-809f74b816b7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d15a22a9-b515-46d8-90bd-abc50d73cbc3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007838
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad597a0fd61b58ce729ade161c683bc6bc97774219df430489a95b92126f1427/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 04:30:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvmxud6wdnmm44u23ylby2b3y26jo52cdhpugbejvfnzeetpcqtq._file
Verdict:
malicious
Similar samples:
076b97cfd1429aa4aa0409d5e131fc829c2238f327f252f6e39235e884fb39fc
RedLineStealer
22a2b1f9676ca799aa7f5f5f73aa35ba2f542ec0035f262346dab39cf0915a69
RedLineStealer
271fc69b06a989c8a860578cce97e42a0db94d58fec14544acfaabf2af7a8d9f
RedLineStealer
33e681eaafb9c9fb943e1663b68c2e63aa3782ee71ea667f76096f606d64066c
RedLineStealer
7399f403d9fc22c965e01191f13c07d465102ab0fce7194fe55fccbd07b1134e
RedLineStealer
7d9aa89ec144e5ab03e3ece03504c04e54b236012586271f2f56f914be548f3c
RedLineStealer
b0ee2b2f81d8bbfc30046ac311f58f7271de65ec09dc357cab7cb90e05445c03
RedLineStealer
ec70df5d6e789759aba200e31c25b8bc9657f973d0fad4c79ef5efb880efa5b0
RedLineStealer
+ 2'118 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:nwantu discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220607-g1fy3sfffj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
140.228.29.114:50298
Unpacked files
SH256 hash:
85c085762b2e224f6ef0a59cda7a24945230de211053e65455efc80a80a8604a
MD5 hash:
ccc0390639539f0d968111e908445df1
SHA1 hash:
c2a9002a30eaf2bbd4e7eeb74a4f3f5ed61c6d58
Link:
https://www.unpac.me/results/479ce6ce-8919-451b-a930-2098fa19d4de/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/479ce6ce-8919-451b-a930-2098fa19d4de/
SH256 hash:
ad597a0fd61b58ce729ade161c683bc6bc97774219df430489a95b92126f1427
MD5 hash:
56a8be43077b33e30a186b02a78dbeec
SHA1 hash:
c16b998341915e97cf9ee19463bb26bf3f9e15a8
Link:
https://www.unpac.me/results/479ce6ce-8919-451b-a930-2098fa19d4de/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad597a0fd61b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/ad597a0fd61b58ce729ade161c683bc6bc97774219df430489a95b92126f1427

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe ad597a0fd61b58ce729ade161c683bc6bc97774219df430489a95b92126f1427

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/277209/

Comments