MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b498051067a8664f7b36062a15c0e03e8f6cb5cdb071116a74f96ee99aed7e1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 2 YARA File information Comments

SHA256 hash:	b498051067a8664f7b36062a15c0e03e8f6cb5cdb071116a74f96ee99aed7e1a
SHA3-384 hash:	ae097b3a686f3b31cc915ebec584c69ee511e82f48ea9a78d1a7749932b89771ff3f57ce2c6d1e4931c5e5ab03f9e590
SHA1 hash:	604ac4cdd1a8b9fd786143e61f4245ec38d275dc
MD5 hash:	6a99b8773a863ade686a076af7db222d
humanhash:	three-jig-carolina-bluebird
File name:	B498051067A8664F7B36062A15C0E03E8F6CB5CDB0711.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	914'432 bytes
First seen:	2021-05-03 11:25:49 UTC
Last seen:	2021-05-03 12:01:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:xIzEZQ/pEXC/aPaKgP4Jp7tDCDIi7VQZUYUa:xUBpEXCCc4Jp7pCZVBy
Threatray	459 similar samples on MalwareBazaar
TLSH	13158CA579018D91D648177FC0CB40040374DDD463A3E70B77AB72AA25B27BBBC99ACB
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://erherst.ml/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://erherst.ml/	https://threatfox.abuse.ch/ioc/28218/
45.128.150.56:80	https://threatfox.abuse.ch/ioc/28219/

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/148428/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.601-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP POST request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/707701

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/b498051067a8664f7b36062a15c0e03e8f6cb5cdb071116a74f96ee99aed7e1a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-27 03:51:56 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wsmakedhvbte66zwayvblqhah2hwznonwbyrc2tu7fxotgxnpyna._file

Verdict:

malicious

RedLineStealer

3df52a4acec2ea77640798fc6f3739caa20c7f663ec7b4fb8c670d4aea241889

RedLineStealer

4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08

RedLineStealer

5d4a9105e1c5445baa4bf0ad0ae48b5f188be3b509d95a7323f0ac9c1dcdd3ad

RedLineStealer

a0060ae7aca834f5e12870b68920b8030c34d56658f61307fd7907073bf5f66a

RedLineStealer

e3ca616249de36f3eda6f214ba9d2840a74cb77aafc6ca56c480ad7bc331670b

RedLineStealer

e5eb0dd4ce710bbc6cc19da58bf6e521d4ef2564b9e92a5e1347ce7ec0677448

RedLineStealer

eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9

RedLineStealer

edd437fae0128015cb46fa7bc90b0de2740051657fd66ade89f1b44e1a03bb65

RedLineStealer

f10d670df193cb35227b29f95643b09a8a6fd7cd3428d11aecfcac55e9d90294

RedLineStealer

+ 449 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:2611 infostealer

Link:

https://tria.ge/reports/210503-zy521xdep6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Malware Config

C2 Extraction:

erherst.ml:80

Unpacked files

SH256 hash:

afb36a2aa2d12a7cf499151b8c0a3083c11c05f872e995db4fbb72664db1d0dc

MD5 hash:

bc74b23a2221851b8e355e65c71a953a

SHA1 hash:

ffdf616f1ae4d8c8583a52822bc366393d6fad96

Link:

https://www.unpac.me/results/c0ffea48-a469-4989-95b3-c1a7a61d72b3/

SH256 hash:

fdefe8a318f88eaa88e39675ffff1ecf338142ef9cfe84a9198ac7f1dcf32f18

MD5 hash:

986582dc2c5749f3023996ae04ae5039

SHA1 hash:

c69d3613b948f91c5c3bce6d71fcad082a295744

Link:

https://www.unpac.me/results/c0ffea48-a469-4989-95b3-c1a7a61d72b3/

SH256 hash:

a10fd61087610e1a561eaac624826e8427c8021cd94572cfc93f0cc2be6076c8

MD5 hash:

394616e3acf0b1a1248dd4d8f38591eb

SHA1 hash:

7935ce781a562ba819f075455ba6f3d13c9ee76c

Link:

https://www.unpac.me/results/c0ffea48-a469-4989-95b3-c1a7a61d72b3/

SH256 hash:

b498051067a8664f7b36062a15c0e03e8f6cb5cdb071116a74f96ee99aed7e1a

MD5 hash:

6a99b8773a863ade686a076af7db222d

SHA1 hash:

604ac4cdd1a8b9fd786143e61f4245ec38d275dc

Link:

https://www.unpac.me/results/c0ffea48-a469-4989-95b3-c1a7a61d72b3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b498051067a8664f7b36062a15c0e03e8f6cb5cdb071116a74f96ee99aed7e1a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/148428/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample