MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
SHA3-384 hash: 1aba6fac8ebb365a1a218fe637d8693752e49a5100901c1c9521e2f1e05a0df97f4f86e92f58b5ac7bb360f71da86129
SHA1 hash: 6c22ee34fb6a7b6f83d872ed8a96330a6874d229
MD5 hash: 8b021c061663ac4e87fd8568b47268f8
humanhash: early-pizza-bulldog-nitrogen
File name:8b021c061663ac4e87fd8568b47268f8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:342'016 bytes
First seen:2021-01-14 06:35:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7304fc031c729ed62048b4dd8e72efab (5 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:2mwK0FCXRjwrkqHdyM/uT7ROEdMYKFkV6cRARn6IsuuZBV+B42:2NK1GYWtuIEqYmkV6qq6IspZBV
TLSH 827402929452B490F510FDF96662C3E1758F2ACE1700E7C6FA39E8A41F3A1F1ABF1542
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://93.115.18.245:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882
Verdict:
Malicious activity
Analysis date:
2021-01-14 05:50:36 UTC
Tags:
loader rat redline trojan
Link:
https://app.any.run/tasks/7ce02e93-3c13-4619-bf28-35851e34d413

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111924/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.RansomGandCrab.fc.5865.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Running batch commands
Creating a file
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/580908
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-14 06:36:11 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4q3ppltfolgi7ugap235kt32gqkw34gd5jf52vohet2gz6uempa._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/210114-k29v584j62/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks installed software on the system
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
MD5 hash:
8b021c061663ac4e87fd8568b47268f8
SHA1 hash:
6c22ee34fb6a7b6f83d872ed8a96330a6874d229
Link:
https://www.unpac.me/results/fa434d74-cbbd-46c4-b049-0e37ba73ec93/
SH256 hash:
a7ac35eec63996d811226f312e99a5af6301940cdb43e853022cc5fc28f3daf0
MD5 hash:
1b17669857e5cc465ddc230d7c3eac94
SHA1 hash:
227b27cd9fc41a17c46cdf1a089da5707ea9f989
Link:
https://www.unpac.me/results/fa434d74-cbbd-46c4-b049-0e37ba73ec93/
SH256 hash:
c720a283d6b9ece8383dd05cd1a1c1e5b951b81f46f7405031a7ca2005251a55
MD5 hash:
0a7609f599dab7641e1ca8e003f5179c
SHA1 hash:
2dc9620333679a73f8e2291ecea25b2f503c03e9
Link:
https://www.unpac.me/results/fa434d74-cbbd-46c4-b049-0e37ba73ec93/
SH256 hash:
2c6f0b1c49d3f02d59eb5c13cabf3454af245c0a69d99d3c50278c70130c57c6
MD5 hash:
985bb2eefe0c602dec2fb3e271326489
SHA1 hash:
8dd60a81412ce265d4168e29e5011408c369859b
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/fa434d74-cbbd-46c4-b049-0e37ba73ec93/
Parent samples :
cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663
SH256 hash:
96d75b7d2b500856308fa5cb24520befaf1432de6903bf744608ff434686483b
MD5 hash:
87bed7b122e8acb772a851e5f1422691
SHA1 hash:
bd6094ff201900358e822f1968c854fc99fb88be
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/fa434d74-cbbd-46c4-b049-0e37ba73ec93/
Parent samples :
cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/959714/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111924/

Comments