MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b330db061c955516a6a4eefe454e57d08989e8b13ce2b33730ebd5790887bc2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b330db061c955516a6a4eefe454e57d08989e8b13ce2b33730ebd5790887bc2d
SHA3-384 hash: d3c0ee85c7a89e1d24791167a3aae90663a6d65bd8eaca75d5918a26aba91c199f3c587348a077d91966badef49ba31b
SHA1 hash: 10f470fc691d6dc08b62ab27f159c7cac5c3b3d8
MD5 hash: 627614021b49b4be7ad427b4b8b37723
humanhash: mountain-north-alaska-jersey
File name:CopyOfPayment2243G772GD77GD7737763BHHGSDGHUYE.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:682'496 bytes
First seen:2023-01-27 15:40:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:+552iNTy1YWZobzi5M458Tm/wPKfhA3PCpuazWgMlSYtz8L6guiMI:+551F4Ub+5MyPhSPCpuvfoL
Threatray 7'079 similar samples on MalwareBazaar
TLSH T190E4220C77B4C70AC4BE0BFA1074181103B669657647E74E0DD2F5EA1A3B7E34A55E87
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
37.220.87.3:1468

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
CopyOfPayment2243G772GD77GD7737763BHHGSDGHUYE.exe
Verdict:
Malicious activity
Analysis date:
2023-01-27 15:42:05 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/b0993c4e-ff98-41bb-93da-03dbad5112b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357498/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d3f08e1c9cbf7d625383fa/reports/f58cc39d-af4f-4e06-89ef-cc105980a004/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55712677-99d4-464f-a204-2a12230b8140
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160353
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b330db061c955516a6a4eefe454e57d08989e8b13ce2b33730ebd5790887bc2d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 15:41:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wmynwbq4svkrnjve537ektsx2ceyt2frhtrlgnzq5pkxscehxqwq._file
Verdict:
malicious
Similar samples:
18581776643e7ff918c5d6f8217e33b3ec7afe8c3df566a8d92833befb6e20b8
RedLineStealer
23329bda17535f705233dcce3aaf21aa7cedc5576dcfd3eab64bdbb62a9f18e3
RedLineStealer
68ea72295e924f8a0ab6c6e6cbc06b4a86faa92cf1730a935e4f552049fda4c4
RedLineStealer
b5e9b82f8f0ce74b44d88520686c5d3dcb002db811497fede0b92cdd8cd693b1
RedLineStealer
b6ba9b1f0724dee6813ee67780cc5a130e5565d616b6acf53a7ef417ab580dfc
RedLineStealer
e87092e93a1a144894d2221cc206afad0989a352a3eb4e9460dedc51af542597
RedLineStealer
+ 7'069 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer
Link:
https://tria.ge/reports/230127-s4rersdd5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
2eb209f50590b4db4cf0ff05466cc4769116977978c85c2a59060b7d9f3c9b3d
MD5 hash:
1849b17d97dfc06816e6e9ff3aefae46
SHA1 hash:
e1812de289a65a906df2ff1f0a0069716a8ef6ea
Link:
https://www.unpac.me/results/40a1dfa8-d033-4a29-89ec-afef4e956b2b/
SH256 hash:
1e7de6581386dd3d1f9a8a915018a79819c86ee969f6a06ff7cf2cf582ebf8fa
MD5 hash:
b759b2b611b5065f57bddee7336cdc6d
SHA1 hash:
e0da33fd9a11d9a93e7514e746125ad2aed0b100
Link:
https://www.unpac.me/results/40a1dfa8-d033-4a29-89ec-afef4e956b2b/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/40a1dfa8-d033-4a29-89ec-afef4e956b2b/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/40a1dfa8-d033-4a29-89ec-afef4e956b2b/
SH256 hash:
ec553eb6053c351355d85cded34f599b15739816d688e74b077f82d85059d2c6
MD5 hash:
410c3391e1b749e9c336ec9c35e45935
SHA1 hash:
619132eabb8fc1e9d8de3ab3ce225288388e2380
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/40a1dfa8-d033-4a29-89ec-afef4e956b2b/
Parent samples :
637230043b334e6dc055e574e813492f472083212c6a5218bcf3bda722953df9
b330db061c955516a6a4eefe454e57d08989e8b13ce2b33730ebd5790887bc2d
SH256 hash:
b330db061c955516a6a4eefe454e57d08989e8b13ce2b33730ebd5790887bc2d
MD5 hash:
627614021b49b4be7ad427b4b8b37723
SHA1 hash:
10f470fc691d6dc08b62ab27f159c7cac5c3b3d8
Link:
https://www.unpac.me/results/40a1dfa8-d033-4a29-89ec-afef4e956b2b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b330db061c95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b330db061c955516a6a4eefe454e57d08989e8b13ce2b33730ebd5790887bc2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/357498/

Comments