MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b70e02c6c4248dd1af3c6ed70b9e016592ab30f6020e109767cbdf81b8c70b02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b70e02c6c4248dd1af3c6ed70b9e016592ab30f6020e109767cbdf81b8c70b02
SHA3-384 hash: 3e21c819e1acec499e3ac6c121926e7251153b2d1a220fbb793019dc049e6ce75591f49a7321ec346f417706fa48c1c3
SHA1 hash: 1d9689bf64b4de90e2dfb4d8df18cfba15420b96
MD5 hash: 344967abba36524514c992f808adb6c8
humanhash: september-tennessee-lactose-mars
File name:17.12.2024 ????????.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:930'816 bytes
First seen:2024-12-17 11:00:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:gOMPku+l0CPPOwq0b9XvY3GiNIyqp8Kfy1XYUWoYsaj5Ki2ld53wLgsR0ufYs0yT:WPd+pOpIVANFq+KfydxYsc9o53wcuz
TLSH T14A15CFC0372AB701CD7CAA70893AEDB853652E34B040F9E6ADDD27D7759C7126A18F06
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
87.120.120.86:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.120.120.86:1912 https://threatfox.abuse.ch/ioc/1349993/

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
fd8603f9-3dfb-4d54-8a8b-be85395662ac
Verdict:
Malicious activity
Analysis date:
2024-12-17 11:01:35 UTC
Tags:
stealer redline metastealer
Link:
https://app.any.run/tasks/fd8603f9-3dfb-4d54-8a8b-be85395662ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Packed2.48521.20576.28300.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67615be78fb73f13afd0acb8
Tags:
redline virus crypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/676159f1a3636b2bbad6da35/reports/a0c78a37-96c0-47b0-b90e-3fa53ddafd5e/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/b70e02c6c4248dd1af3c6ed70b9e016592ab30f6020e109767cbdf81b8c70b02
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34d7612b-d7b5-40c9-8d00-886a81af2694
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1576688
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b70e02c6c4248dd1af3c6ed70b9e016592ab30f6020e109767cbdf81b8c70b02
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b70e02c6c4248dd1af3c6ed70b9e016592ab30f6020e109767cbdf81b8c70b02/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-12-17 10:30:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4hafrweesg5dlz4n3lqxhqbmwjkwmhwaihbbf3hzppydoghbmba._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
redlinestealer
Create hunting rule
Similar samples:
error
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logs discovery infostealer spyware stealer
Link:
https://tria.ge/reports/241217-m4jf9sxnh1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
87.120.120.86:1912
Verdict:
Suspicious
Tags:
c2 redline metastealer stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/6e20d284-5105-43c4-ba40-be70d52f1675
Unpacked files
SH256 hash:
366cfb2015078d80637bad5e41ba879903fafc17fe6d24d74210fbbfeaa07bd6
MD5 hash:
6c6509adcd386e5aa612f7a9c3d8a04b
SHA1 hash:
d36a9e2f20a88d035da9f976ba551358cbb3f913
Link:
https://www.unpac.me/results/c93b4b35-cc6a-4e30-aeca-c0f6320ccadd/
SH256 hash:
918901c8848c1310ff60bc390a679d7ae30607c4ea9432dd88a2045a07fa6274
MD5 hash:
ca204438a7a3f33355c4a9b3aed48869
SHA1 hash:
48756755b74e73ad7c99237c4139e71c403da996
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/c93b4b35-cc6a-4e30-aeca-c0f6320ccadd/
Parent samples :
717a77357b194172da9212b29de15aa4405c3503dedddc2457dc97e196aedb93
b70e02c6c4248dd1af3c6ed70b9e016592ab30f6020e109767cbdf81b8c70b02
309621355c48f1d8b77d4df0cfb99a32dbd0ab78f234b6c12934d9f3a1503af8
2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd
c4a993a439395763eaa84f6f2cdcd20c2b8d3a9bafe795ce1874f7d510d34293
e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
862f560eedeb50aea489b649e1c3790254a1d8424cc2bafde2c68e3dcd161967
0766e43d3968a048e78c18383353ea6450934bcd0427ec9757c8da2570884580
e844c45831ec146a5c82479c1381a32827034b11078e433870006e40ea13cf15
SH256 hash:
7c4799f3c2006173b96d7ea3d4f6592bc088ca5293090e85cf14f5dbad5976f4
MD5 hash:
e56d3fca5f46a3a499a1ae90bc07c968
SHA1 hash:
25ed5dbaee8e2faf757abedd0beec73ae0c929d3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c93b4b35-cc6a-4e30-aeca-c0f6320ccadd/
SH256 hash:
b70e02c6c4248dd1af3c6ed70b9e016592ab30f6020e109767cbdf81b8c70b02
MD5 hash:
344967abba36524514c992f808adb6c8
SHA1 hash:
1d9689bf64b4de90e2dfb4d8df18cfba15420b96
Link:
https://www.unpac.me/results/c93b4b35-cc6a-4e30-aeca-c0f6320ccadd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments