MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc4843f9e8ee5a0e17fd5639d45839ecbfaa2f06aaa5b8701b41997ccf0b7fc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc4843f9e8ee5a0e17fd5639d45839ecbfaa2f06aaa5b8701b41997ccf0b7fc6
SHA3-384 hash: fbf2edf2f8818c4aba8eadc8c85e4c034b703c8168283eb6584e2947ec3e913ef0f2fd819c839e9a88ea0dd7c56556b5
SHA1 hash: 52cfc84685358e2897d52551f98ace7493311d15
MD5 hash: 22b857320659f058de7f1337580934f3
humanhash: juliet-tennis-xray-seven
File name:argent.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:940'032 bytes
First seen:2021-07-20 09:51:23 UTC
Last seen:2021-07-20 10:41:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep 12288:i1PetzZsIkO34Uy2Wx2bhhqHTfC/4VCR6Gt8v+:EetzZyO3PMshqzqwg6Gt8v+
Threatray 1'515 similar samples on MalwareBazaar
TLSH T18E15186836405AABC0657633C166E330AFF05D012203DE0E67EAF9BB3D72257694ED5E
Reporter JAMESWT_WT
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.226.139.106:25644 https://threatfox.abuse.ch/ioc/161664/

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DogeTab.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 09:49:07 UTC
Tags:
teamviewer tvrat rat trojan loader stealer
Link:
https://app.any.run/tasks/06c32e9d-3017-4c14-aa21-0fe21760aeb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172763/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.20145.3360.19829.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79f68dad-2547-455b-a073-e23ec2294e2b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818808
Signature
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc4843f9e8ee5a0e17fd5639d45839ecbfaa2f06aaa5b8701b41997ccf0b7fc6/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 20:14:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zreeh6pi5zna4f75ky45iwbz5s72ulygvks3q4a3igmxztylp7da._file
Verdict:
malicious
Similar samples:
08158e947e60d291cb15ea3f5d34dddaaf596225ee75f21b8789bef807e8c65e
RedLineStealer
2cbe0812081f1c8676e8fb96d9e4e08e6ac092c38982586030bd7302ed2b9a2d
RedLineStealer
546786da2b0bd97f39ce61ae69157e60aeba1dd176f1d1876ed2a413f2a48954
RedLineStealer
88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
RedLineStealer
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
RedLineStealer
a77affc8aade0e41bacc74406c6db70c087971dad3f5acb73eaa0531ecb0135f
RedLineStealer
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
RedLineStealer
b06a04969f5856d665a1e837f7aed8b1adfca9e44d06e7d5100b8c3adac4df79
RedLineStealer
d4318bfc9c962824b9254a8eecaa7f30c5e6cc3a209a6d8ef84395aeab2403b7
RedLineStealer
fecf30cf57db17985193ff17ffca3697562215ac1b66d0c7cab2fa7c36c8cf5d
RedLineStealer
+ 1'505 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210720-35g6qta27x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
194.226.139.106:25644
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/27efa90c-e235-4527-8fc6-f62b567937d1/
SH256 hash:
5c6386f7c433587ce9a23ad884cbc82a68adc55c640da0e469cd6b8d09943764
MD5 hash:
40ea0ab67c4fb851f3514ab34babe722
SHA1 hash:
415374fdf7de217e8afd46be0427ed116a4e70b6
Link:
https://www.unpac.me/results/27efa90c-e235-4527-8fc6-f62b567937d1/
SH256 hash:
78faa1d8ebe47f6b89eb665963f12c15ca938bf2964cf04a26ec100f2b06d964
MD5 hash:
e3df59e98f20a24cb703521b28b06e10
SHA1 hash:
2e1ab88d098353b44bbc12a3d5e0d390b6129895
Link:
https://www.unpac.me/results/27efa90c-e235-4527-8fc6-f62b567937d1/
SH256 hash:
cc4843f9e8ee5a0e17fd5639d45839ecbfaa2f06aaa5b8701b41997ccf0b7fc6
MD5 hash:
22b857320659f058de7f1337580934f3
SHA1 hash:
52cfc84685358e2897d52551f98ace7493311d15
Link:
https://www.unpac.me/results/27efa90c-e235-4527-8fc6-f62b567937d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/cc4843f9e8ee5a0e17fd5639d45839ecbfaa2f06aaa5b8701b41997ccf0b7fc6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cc4843f9e8ee5a0e17fd5639d45839ecbfaa2f06aaa5b8701b41997ccf0b7fc6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1468187/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172763/

Comments