MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cad1b58e38cfc1e0a0431fa9aae253a1626b4e4e3a6cbc6a8f119cd4959f6410. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1

SHA256 hash: cad1b58e38cfc1e0a0431fa9aae253a1626b4e4e3a6cbc6a8f119cd4959f6410
SHA3-384 hash: 3cd9df3dad27a02023f15ba451cd783acaa3120b2c0a19da49654a831fa223426c06f23de62be9422704359c97249aae
SHA1 hash: 5bbc936fdb82ed3e57c1ae2f4a0cbfab459883b7
MD5 hash: 859e6cf84ff73e9a9921fb829c3a386e
humanhash: winner-violet-michigan-oscar
File name:859e6cf84ff73e9a9921fb829c3a386e
Download: download sample
Signature RedLineStealer
File size:796'304 bytes
First seen:2022-05-04 19:07:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d99dbf9a3c1158012345d1eb4ef7fac (1 x RedLineStealer)
ssdeep 24576:6QwJUPvfQ9Lu9lokWwq4uHopxqqYMEeq:6QwauQvWwq4wopVYME3
Threatray 2'499 similar samples on MalwareBazaar
TLSH T10305232635DBC53BE7906A384DADE6CADB24FD839C066B477390332CD572BA12E05781
File icon (PE):PE icon
dhash icon 30e0c4c45efc7038 (1 x RedLineStealer)
Reporter @zbetcheckin
Tags:32 exe RedLineStealer trojan

Intelligence


File Origin
# of uploads :
1
# of downloads :
1'178
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
859e6cf84ff73e9a9921fb829c3a386e
Verdict:
Malicious activity
Analysis date:
2022-05-04 19:10:03 UTC
Tags:
trojan rat redline

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
–°reating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-05-04 19:08:09 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
15 of 42 (35.71%)
Threat level:
  5/5
Result
Malware family:
redline
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
9129b89334fb5c9998912c9de01d0c4b1773e5dbe1ebb05e0cde66b818401f5b
MD5 hash:
c18be157894bcf1f134acd6ca0c2d5ad
SHA1 hash:
20cb149b4938e746f1c5916f9fa410aa16fe88c9
SH256 hash:
cad1b58e38cfc1e0a0431fa9aae253a1626b4e4e3a6cbc6a8f119cd4959f6410
MD5 hash:
859e6cf84ff73e9a9921fb829c3a386e
SHA1 hash:
5bbc936fdb82ed3e57c1ae2f4a0cbfab459883b7

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:adonunix2
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BAZT_B5_NOCEXInvalidStream
Rule name:BitcoinAddress
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NETDIC208_NOCEX
Rule name:NETDIC208_NOCEX_NOREACTOR
Rule name:NETDIC_208

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cad1b58e38cfc1e0a0431fa9aae253a1626b4e4e3a6cbc6a8f119cd4959f6410

(this sample)

  
Delivery method
Distributed via web download

Comments



Avatar
zbet commented on 2022-05-04 19:07:23 UTC

url : hxxps://iplogger.org/2QhZt7/