MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b61ac8b8fabd1b494f4d22e5a1f0b920da55e5827e588361a77c135909387dc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 6 File information Comments

SHA256 hash:	b61ac8b8fabd1b494f4d22e5a1f0b920da55e5827e588361a77c135909387dc3
SHA3-384 hash:	4fb47044506f0504f5f3c8fe4fcefbe76bb5ba96211e325f869025d42ead601534ad9098f44df2a383006791dc9d8739
SHA1 hash:	5ae3e230cd1659d0fd407073403e6e4843dab918
MD5 hash:	aba4e0c6d2408a08801293c7073dd8d5
humanhash:	sixteen-august-connecticut-california
File name:	aba4e0c6d2408a08801293c7073dd8d5.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'879'576 bytes
First seen:	2021-12-03 09:51:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	98304:KouNiw9VYj9MKDceJzQwI0jdizsQ5nOCkQ6esg/1x1zMzl1EEs:KHNiisMK4eJzQq8zLh4Q6ehxpcEEs
Threatray	95 similar samples on MalwareBazaar
TLSH	T1FD36CF9B11538ABAF2284B36500DD364A7C57B40B063E6E2D9EB10E7CC1B76D6DD4ACC
Reporter	abuse_ch
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Agars
Issuer:	Agars
Algorithm:	sha1WithRSAEncryption
Valid from:	2021-11-20T21:00:00Z
Valid to:	2031-11-27T21:00:00Z
Serial number:	677b3786768893954a568761b228440a
Thumbprint Algorithm:	SHA256
Thumbprint:	aafa8b50403302096551c5d5fbda0cc140af20d78005312bb00211e1ab79740d
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RedLineStealer C2:
107.178.110.44:46230

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
107.178.110.44:46230	https://threatfox.abuse.ch/ioc/258831/

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aba4e0c6d2408a08801293c7073dd8d5.exe

Verdict:

Malicious activity

Analysis date:

2021-12-03 10:45:24 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/c74a5464-dc3f-49de-9388-affba3a2797f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/210983/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a window

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Unauthorized injection to a recently created process

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/61a9e8c9fa72c81b5b092ddd/reports/fbd83891-b933-4040-af95-bf52d035f07f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01abbcab-1c74-49dc-bceb-a6ea4ca8d01f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/900757

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b61ac8b8fabd1b494f4d22e5a1f0b920da55e5827e588361a77c135909387dc3/

Threat name:

ByteCode-MSIL.Trojan.Tedy

Status:

Malicious

First seen:

2021-11-30 22:22:23 UTC

File Type:

PE (.Net Exe)

AV detection:

20 of 45 (44.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wynmroh2xunust2nels2d4fzednflzmcpzmigynhpqjvscjypxbq._file

Verdict:

malicious

RedLineStealer

51bda9cff13b4515a21d412a59a51746594613eed7fe0cb21f1ee8037baabf66

RedLineStealer

7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

RedLineStealer

9820500aae4c3b3b5ab38a63f9776a75cfb2203a20798682207aee9e6526aba8

RedLineStealer

9c2b3a7c5abdcd9cfbafc27cddcdd4054cea214e15d3a1666cf407d2479a1f7e

RedLineStealer

fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e

RedLineStealer

+ 85 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:tet lai discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211203-lv4keagadk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

107.178.110.44:46230

Unpacked files

SH256 hash:

3db44d0d4c91f61ba40f967e7831e0ba4a46ea675b59dd504c1230e53c008bb6

MD5 hash:

bf1aa049e20b44381cefe7f3dfcd128a

SHA1 hash:

a6c2018479cffedbd40e5e52a393809c91b5b5d4

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

ae12ecc0233d293e8e275c9ec0654f111427ebafb1596a69520ef3c438df5811

MD5 hash:

d1af260073911f84088ceab2b176f8f8

SHA1 hash:

80d68d58725b87a35d2edc6a089494d783994124

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

92d5dd2fcbdf3c9053facf95ee10a422f68a531f7a09899da2384c9a9240a06b

MD5 hash:

565c9af2e5901511cbdcfdae97d14450

SHA1 hash:

805bb9ac7b93244a4872c74e45b32df17cdb8d1a

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

022371f474ecae38c2bb3e0b36f53827d9b7c27520d8b269bcc98fe2f820e96e

MD5 hash:

94e647a4e6684e482bea03a2f9bfd325

SHA1 hash:

117bbfa15e3ce2e98602adf4465e4ffe24c93726

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

b78217e16c4f5b3a91b9cc968e3f51a53c2dd7b0620b40f0030c77a0da3e3135

MD5 hash:

e58366a4547862f9ec39c9d23ca18814

SHA1 hash:

004fadb18a007f9031105c956c0268218132b2c5

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

0609f3d5ef79ca0271d079590f1ad180cab9cd51453def7a4fb198db30f0d0b2

MD5 hash:

d3597e2bb746de9919c7141832be83ab

SHA1 hash:

1e8d9f5484378c7e3fbdb5dd0daeb1dd038c444b

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

f1b5b0c66005600502a9f79c8b2c59fa2faa30fd1f581d307731e9f2bd75b7c4

MD5 hash:

07d4ae71c37959e7e142b44544b56d39

SHA1 hash:

a578951333acf861672bd505d8dc5780a7d12799

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

45611a569cabfdcfe0c2d733225b4c589e0c76bdf0b2b0ee36a9137ade25cd13

MD5 hash:

e8b3bb86283a357b1639db563afdb1e3

SHA1 hash:

f07f7828b0467eec89a3c1bdd8c014986d59ad42

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

e8a81cccadc6496d2c6656b69644937b8e190767d155d06ae705a9b45dce9bc2

MD5 hash:

63a3c1efce6eb3e424289ce135ebe897

SHA1 hash:

b803ce66f0b5ba5f1e4e02f5197312b836e18d54

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

SH256 hash:

b61ac8b8fabd1b494f4d22e5a1f0b920da55e5827e588361a77c135909387dc3

MD5 hash:

aba4e0c6d2408a08801293c7073dd8d5

SHA1 hash:

5ae3e230cd1659d0fd407073403e6e4843dab918

Link:

https://www.unpac.me/results/56521686-252f-4240-a847-d9f8276c503f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b61ac8b8fabd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b61ac8b8fabd1b494f4d22e5a1f0b920da55e5827e588361a77c135909387dc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/210983/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample