MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39b65870a9134612935225334d16590d89261cacac9f99817c2b64cfe884ce0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c39b65870a9134612935225334d16590d89261cacac9f99817c2b64cfe884ce0
SHA3-384 hash: c2eb80292cd07257112f08177b2c919aeaa6ada92d43db81ab8b83314ca287609a527a7839f55551def2bc50da88d7b2
SHA1 hash: 9f3e8c7d463650506cb77c9b169f51f189b6bfea
MD5 hash: 56d0f698866e833722c1288fe5a97ff5
humanhash: lactose-louisiana-march-william
File name:MKT Swift-101.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:706'560 bytes
First seen:2022-05-24 02:30:17 UTC
Last seen:2022-05-24 09:55:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:t56sjYpxd+kbPgwUDFIEFCIe5Pftfl7qVfKAwv0GR5V26wdg:t0Q2Pg1WPP
Threatray 1'862 similar samples on MalwareBazaar
TLSH T1BBE48DAC3290B5DEC867CE76CAA41C64BA217C7B531BC6079027259CAD1DA87DF106F3
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 110d315969314d41 (4 x AgentTesla, 3 x Formbook, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
2.56.57.16:25154

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.56.57.16:25154 https://threatfox.abuse.ch/ioc/627161/

Intelligence

File Origin
# of uploads :
3
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
MKT Swift-101.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 02:32:36 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/9523de6a-f4cc-477a-9877-6370a2fc4623

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273913/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628c433f6eb3ff326326158a/reports/3b5d25e1-d25c-4e39-890a-ef0670290483/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6950dc1-c958-43bd-939b-14b2b8708516
Result
Threat name:
Ficker Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000327
Signature
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Ficker Stealer
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c39b65870a9134612935225334d16590d89261cacac9f99817c2b64cfe884ce0/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 02:15:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
56
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yonwlbykse2gckjvejjtjulfsdmjeyokzle7tgaxyk3ez7uijtqa._file
Verdict:
malicious
Similar samples:
04a86becf9648432d6e1bc0446567f1c6962e767c0e0738802e2a3c2520dfabc
RedLineStealer
11790a90358d5f0be495fce0dc3870ec8c088f23eddc84d4e90d5d4281ea6f27
RedLineStealer
5f9e348e3e48670f658701a635bd7d463202a6c6699bc42c632b1a10c905423c
RedLineStealer
6481dd646e6b2c2c66d976781cc79ef769cb6a885566f8d965b304f58cf08061
RedLineStealer
c7fbbdd84572a117d47a54168e71b8bd86f0c70198468486f6c3a040e9ecc310
RedLineStealer
ebc698f8b5b41a150c1f74cbea8b403eeff3049435285675757fe8b9f85ccf45
RedLineStealer
edc8375d2a96c96eb0d3b8c7acfba4a9ba7f602deb4a2738d4ff07f0ee129e98
RedLineStealer
+ 1'852 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:xexcel discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220524-czp35sced7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
2.56.57.16:25154
Unpacked files
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/0a37eeaa-0a59-49c8-99fe-c6d5229baaed/
SH256 hash:
372c77e9cef018de4af4ebcffa99f0913235494e1bf7ee235a3c5b9cc6e23d86
MD5 hash:
2b7a78337bf7540c6039333ffafffa03
SHA1 hash:
bd35d16e8124a6548d1310a1f74357ace36f7a1f
Link:
https://www.unpac.me/results/0a37eeaa-0a59-49c8-99fe-c6d5229baaed/
SH256 hash:
260b5fd8c93db7bf86e36b587079483233020e755074798ddbc40821a4afe0eb
MD5 hash:
13346af03b105b0b8f593724d6dc0c1d
SHA1 hash:
85c3722ba3a0cbe36b4a8997a9476bc498b7b3e7
Link:
https://www.unpac.me/results/0a37eeaa-0a59-49c8-99fe-c6d5229baaed/
SH256 hash:
b7f2e4da4f043b4de0fdebe8469f8c3a50b387c5b39a08d8d6b9b4208286042b
MD5 hash:
568625212e858c126731f117a528150c
SHA1 hash:
097852622474775468ea5967b11a5b400d98f92d
Link:
https://www.unpac.me/results/0a37eeaa-0a59-49c8-99fe-c6d5229baaed/
SH256 hash:
cab3ac66513f09b99fc148b0e48e9a9f5b5e67e2e250265584a4c376822b225e
MD5 hash:
51a71c49137b63722a3288d748b7757b
SHA1 hash:
09693fab18b82e848daff3e955054b375b29c4a0
Link:
https://www.unpac.me/results/0a37eeaa-0a59-49c8-99fe-c6d5229baaed/
SH256 hash:
c39b65870a9134612935225334d16590d89261cacac9f99817c2b64cfe884ce0
MD5 hash:
56d0f698866e833722c1288fe5a97ff5
SHA1 hash:
9f3e8c7d463650506cb77c9b169f51f189b6bfea
Link:
https://www.unpac.me/results/0a37eeaa-0a59-49c8-99fe-c6d5229baaed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c39b65870a9134612935225334d16590d89261cacac9f99817c2b64cfe884ce0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273913/

Comments