MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
SHA3-384 hash:	093ea081a0cab6a59201a72a2d5ab9dcf785a6bd802c096c1bbe5f6cc427a4f1348e247947dd25810b71ab51ea14e30d
SHA1 hash:	ba2327322c6f1e7bc081bd885ef89fe40e9837ca
MD5 hash:	b8dc0d47a02656e13ca9337fe8d1b5d0
humanhash:	spring-music-shade-beer
File name:	b8dc0d47a02656e13ca9337fe8d1b5d0.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	342'528 bytes
First seen:	2021-01-14 06:35:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7304fc031c729ed62048b4dd8e72efab (5 x RedLineStealer, 1 x Smoke Loader)
ssdeep	6144:pzjF/hBuAk5WhNNUDfgSzcLv8USSShnZ7KoMRVXEUEKHm:pfRhBLk5WhSoRSScERVXEUEKH
Threatray	260 similar samples on MalwareBazaar
TLSH	4D741161BEC08D52E3781D338B5A73F271CC29AE0B201287797D924E1DFB5B2664719B
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://93.115.18.245:35200/IRemotePanel

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b8dc0d47a02656e13ca9337fe8d1b5d0.exe

Verdict:

Malicious activity

Analysis date:

2021-01-14 06:42:36 UTC

Tags:

rat redline trojan

Link:

https://app.any.run/tasks/d329696c-f347-4082-9dea-c51552f02ff0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/111923/

Detection(s):

PUA.Win.Packer.Upx-48

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Running batch commands

Creating a file

Launching a process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/580900

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54/

Threat name:

Win32.Dropper.Generic

Status:

Suspicious

First seen:

2021-01-14 06:35:26 UTC

AV detection:

14 of 46 (30.43%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z3gzrvw5uz7jurd7tvmwm37lrpsclhu4idgetqu2fl4ukbaulnka._file

Verdict:

malicious

RedLineStealer

4eb5508fd5f2e2e2c78f406c2312dd83d7790d3822cb2182fbb86df85afd6777

RedLineStealer

51615786dd61880b418061e7ab53c560ab69e979879a27c2feb9f68a62996b72

RedLineStealer

71aaff890e5c76962463e4f1c102819a6f7469e76139b5b49282f5f596d7ea36

RedLineStealer

7328f90488ba26b3e9d92cf097f69a4ba7ffca152660bf1e126cc5d1c7a1f835

RedLineStealer

733b75ae9580dccc5e4cc7941e621f89c53b35d94a8b792241f1603ba2e8e675

RedLineStealer

a8ae3cb248fb4721b27615276393e430bae895d37794b917f09980bd31c1176c

RedLineStealer

add432dca76d9ae5e7883d7fccba10211cbf0a6b2f694af0edc37a679739f375

RedLineStealer

c96f35457cc26c36104f053cb445c0835ead6434c3ce57adaae7911b2ab51d5c

RedLineStealer

e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62

RedLineStealer

+ 250 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/210114-tbwbahtq8j/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks installed software on the system

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

RedLine

Unpacked files

SH256 hash:

cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54

MD5 hash:

b8dc0d47a02656e13ca9337fe8d1b5d0

SHA1 hash:

ba2327322c6f1e7bc081bd885ef89fe40e9837ca

Link:

https://www.unpac.me/results/7be7800d-2c66-454e-a21c-f55d17ff0869/

SH256 hash:

ff5c898b2f253ddb651a1381066af30d35cdedd96e76eae627c1bd4e80fc8886

MD5 hash:

64d24f8ca5e14d2bf408c0881867c425

SHA1 hash:

e1db61eff38b7b6658fa532e5b368ab58c6bf264

Link:

https://www.unpac.me/results/7be7800d-2c66-454e-a21c-f55d17ff0869/

SH256 hash:

c720a283d6b9ece8383dd05cd1a1c1e5b951b81f46f7405031a7ca2005251a55

MD5 hash:

0a7609f599dab7641e1ca8e003f5179c

SHA1 hash:

2dc9620333679a73f8e2291ecea25b2f503c03e9

Link:

https://www.unpac.me/results/7be7800d-2c66-454e-a21c-f55d17ff0869/

SH256 hash:

2c6f0b1c49d3f02d59eb5c13cabf3454af245c0a69d99d3c50278c70130c57c6

MD5 hash:

985bb2eefe0c602dec2fb3e271326489

SHA1 hash:

8dd60a81412ce265d4168e29e5011408c369859b

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/7be7800d-2c66-454e-a21c-f55d17ff0869/

Parent samples :

cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663

SH256 hash:

96d75b7d2b500856308fa5cb24520befaf1432de6903bf744608ff434686483b

MD5 hash:

87bed7b122e8acb772a851e5f1422691

SHA1 hash:

bd6094ff201900358e822f1968c854fc99fb88be

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/7be7800d-2c66-454e-a21c-f55d17ff0869/

Parent samples :

cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/