MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbc85a715451d8f29b7ca73395decea7accbaedec73a7f2a757b248cf7cc462b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbc85a715451d8f29b7ca73395decea7accbaedec73a7f2a757b248cf7cc462b
SHA3-384 hash: 4bff8385959641b5e714e597a3142403852ce6c08936d53450aa8c9b8506ebc4384f6fb1c60acb479a1fe89dab6283a7
SHA1 hash: 9f89a0ad7cb44ebfaa8bc8da80ee7e4649d53591
MD5 hash: 875c308ab4aefeea743c5fbfd3f47124
humanhash: lemon-fruit-salami-virginia
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.60948.5233.14351
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:19'968 bytes
First seen:2020-12-28 15:48:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:+SVSE3f4OqENRPvDG98DbkwEuVStqwuFt8LLq0Kg2z:+SVSE3f4rErPvDG9AEo4qRFt8xQ
Threatray 262 similar samples on MalwareBazaar
TLSH F392E83263E4C73EE5AB177484BD898182B1F5C67D01D7AB58C891CA5B1329687633F3
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
437
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PWS.Siggen2.60948.5233.14351
Verdict:
Malicious activity
Analysis date:
2020-12-28 15:52:09 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/22a8d718-57ed-4ef8-9e9c-c79a3a8c4428

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109568/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.60948.5233.14351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Sending a UDP request
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570788
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334451 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 28/12/2020 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected RedLine Stealer 2->47 49 Uses ping.exe to sleep 2->49 51 5 other signatures 2->51 8 SecuriteInfo.com.Trojan.PWS.Siggen2.60948.5233.exe 15 3 2->8         started        process3 dnsIp4 35 3txi.uuundfev.ru 81.177.141.231, 443, 49717 RTCOMM-ASRU Russian Federation 8->35 29 SecuriteInfo.com.T....60948.5233.exe.log, ASCII 8->29 dropped 55 Writes to foreign memory regions 8->55 57 Allocates memory in foreign processes 8->57 59 Injects a PE file into a foreign processes 8->59 13 AddInProcess32.exe 14 23 8->13         started        18 AddInProcess32.exe 8->18         started        file5 signatures6 process7 dnsIp8 39 api.ip.sb 13->39 41 WHOIS.RIPE.NET 193.0.6.135, 43, 49729 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 13->41 43 3 other IPs or domains 13->43 31 C:\Users\user\...\AddInProcess32.exe.log, ASCII 13->31 dropped 61 Tries to harvest and steal browser information (history, passwords, etc) 13->61 20 cmd.exe 1 13->20         started        63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->63 65 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->65 file9 signatures10 process11 dnsIp12 33 127.0.0.1 unknown unknown 20->33 53 Uses ping.exe to sleep 20->53 24 PING.EXE 1 20->24         started        27 conhost.exe 20->27         started        signatures13 process14 dnsIp15 37 192.168.2.1 unknown unknown 24->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbc85a715451d8f29b7ca73395decea7accbaedec73a7f2a757b248cf7cc462b/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 02:47:24 UTC
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpefu4kukhmpfg34u4zzlxwou6wmxlw6y45h6ktvpmsiz56miyvq._file
Verdict:
malicious
Similar samples:
16e2f02323bffb1363b00f294c442412db60fa44d63b06cb0098949912d9c3e6
RedLineStealer
1e738345ff1e40f5931d8e2009894f9830a38443836fb9da19eec9498fe2901a
RedLineStealer
2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f
RedLineStealer
45c3f3af9f9d0c905dcb43df313ecf62364fa7cbab78236a3c049700556b1d63
RedLineStealer
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
RedLineStealer
8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a
RedLineStealer
9c3b3e69af0914c05b102e9c8288d1a3a7526c14721b774cd129b606b7bf224d
RedLineStealer
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
RedLineStealer
b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04
RedLineStealer
f1f02609df5674a0ad67ce6d2bd2f07dd7616eb2995b07f31ae431a956036ae9
RedLineStealer
+ 252 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201228-5fjrragdna/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
bbc85a715451d8f29b7ca73395decea7accbaedec73a7f2a757b248cf7cc462b
MD5 hash:
875c308ab4aefeea743c5fbfd3f47124
SHA1 hash:
9f89a0ad7cb44ebfaa8bc8da80ee7e4649d53591
Link:
https://www.unpac.me/results/1a4e6a92-fc90-4056-8998-6e3feaa5bb3f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbc85a715451d8f29b7ca73395decea7accbaedec73a7f2a757b248cf7cc462b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe bbc85a715451d8f29b7ca73395decea7accbaedec73a7f2a757b248cf7cc462b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/943586/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/109568/

Comments