MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be685c54bddeb8b51ee95a8f08c89be778c6ddc99c4f45b49338b218d53a941f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be685c54bddeb8b51ee95a8f08c89be778c6ddc99c4f45b49338b218d53a941f
SHA3-384 hash: 1c6eb6edf89768878df19cb47a6fe2bf3edb2edf461ecf25eeecc0b7c98d7fe193bc283db1ba3a29b961d967e6028ffc
SHA1 hash: 976f5968c4de98d5b42b1a1b6d074fadaf7f9948
MD5 hash: 2d7f8b0dfc6646355f2b895c95f61c36
humanhash: pizza-north-mexico-ink
File name:Receipt9LKD.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:653'824 bytes
First seen:2022-04-20 10:30:45 UTC
Last seen:2022-04-21 08:05:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GwYRm/I9koFZGt51xc2v60A6hNmrNm2zz80Paq/1r/VAKu4kMagg8myu1cSEHWOc:1Yg/IyoJ03SkU5PZNJAKu4kv8mB1Yc
Threatray 4'124 similar samples on MalwareBazaar
TLSH T1BBD4E08C722071EFCC67C076CEA85DA8BAA1747A531F9217902719DDE95DA97CF100F2
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 70c0d0d0c8ccf0f0 (8 x Formbook, 4 x NanoCore, 3 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
140.228.29.199:25415

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
140.228.29.199:25415 https://threatfox.abuse.ch/ioc/521884/

Intelligence

File Origin
# of uploads :
5
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01342091c3addcfb0010759e3ed5c0990edaf160457d76ce4a976583f8338fad
Verdict:
Suspicious activity
Analysis date:
2022-04-20 15:55:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9e1eae7-e649-42ef-9fce-20bda4b809c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264972/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.14179.9038.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/625fe1d7482f2f41cad88898/reports/0e664a52-719c-4ca5-bae4-f2cc360b5c02/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a65a5ad-f742-4b5f-a4fc-c4616a243f38
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/980076
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be685c54bddeb8b51ee95a8f08c89be778c6ddc99c4f45b49338b218d53a941f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 11:31:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzufyvf5324lkhxjlkhqrse3454mnxojtrhulnethczbrvj2sqpq._file
Verdict:
malicious
Similar samples:
1bfc4e45067f4f1fc583289ac5f8ab3bba6403443f51d18c8546adf58de68501
RedLineStealer
6f497e6870e797642b3e60cd2fe0ce110f84a65ac19ef361ad209691c431b661
RedLineStealer
98386b2cb6643d632a2076067cee9d06e7feaef7719984697428f4fe1bbc8be5
RedLineStealer
c8c237f5b4d985add596774c36156c4fa9ee54d44ec544528c64b1c10bd163ea
RedLineStealer
e1d9aa1fd894acc29696d94bd9956f1c9f00fd8ee1528e9028dd502b5abd7ac3
RedLineStealer
+ 4'114 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:viewoffer infostealer spyware stealer
Link:
https://tria.ge/reports/220420-mkezqsdbfl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
140.228.29.199:25415
Unpacked files
SH256 hash:
f5cd45adc14005ef3449e70f9d674b74a7c93bcbb08443a9bb859c418725891e
MD5 hash:
a9598966d20b527d602f2c2b6a9fa7b0
SHA1 hash:
f2a6632b65e01fca17321ece56fc11abf96250bd
Link:
https://www.unpac.me/results/2c70c833-d079-499a-bdec-95e25c516583/
SH256 hash:
e649e0d6c577aac4d57e7093d75b1dafcbf641f62110d177a9286749846ddc43
MD5 hash:
ecb7908b31c84e773559219d97756922
SHA1 hash:
ec70bff9e7e0f25b35e99a197a493b41b7553022
Link:
https://www.unpac.me/results/2c70c833-d079-499a-bdec-95e25c516583/
SH256 hash:
334b7f600ceb9594c653bf17226e8b81af8df7fd864a92d231d1b2f91ff31b3a
MD5 hash:
f1f0f81f557e6d382104d6fba5f60f40
SHA1 hash:
eb8d26f15af6951353ba6379ebf1fed08515c5ef
Link:
https://www.unpac.me/results/2c70c833-d079-499a-bdec-95e25c516583/
SH256 hash:
22f1695b6923a17b476d1012d72c0643e04f06f0799497e63400807051f20b9d
MD5 hash:
40fc1a8456b8522f77f5ce8f097ca37f
SHA1 hash:
a0dee5fbc45472f11813abc64c47a0653e608f15
Link:
https://www.unpac.me/results/2c70c833-d079-499a-bdec-95e25c516583/
SH256 hash:
be685c54bddeb8b51ee95a8f08c89be778c6ddc99c4f45b49338b218d53a941f
MD5 hash:
2d7f8b0dfc6646355f2b895c95f61c36
SHA1 hash:
976f5968c4de98d5b42b1a1b6d074fadaf7f9948
Link:
https://www.unpac.me/results/2c70c833-d079-499a-bdec-95e25c516583/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be685c54bddeb8b51ee95a8f08c89be778c6ddc99c4f45b49338b218d53a941f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264972/

Comments