MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfac75f3ee6ba6f7816e73908f679a7c185b12044580c1f6b0cbf41dfe74b0f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	cfac75f3ee6ba6f7816e73908f679a7c185b12044580c1f6b0cbf41dfe74b0f7
SHA3-384 hash:	3772e947a145f76710b4f9701d0845e7390ab1c67df26ab9771db370d930e89704f603efbd1c4bca6a663f7a09f5bc20
SHA1 hash:	b48122cace403170b55457105cb0c43fac68ead2
MD5 hash:	2e31bb2a664c08df661b6af6905a6702
humanhash:	delaware-alanine-oregon-hotel
File name:	2e31bb2a664c08df661b6af6905a6702.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	19'968 bytes
First seen:	2020-07-09 18:27:29 UTC
Last seen:	2020-07-09 19:58:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	384:b2j/RaaehLlxIq06x6eFJYNlqqbSQaIJS96wiJiBAL:1aehLlxIq0I60asaSWJSIwiIA
Threatray	80 similar samples on MalwareBazaar
TLSH	F7922A3073D5833ACDB74BB444B9C3894730B1979D12EB9B49C961869B233848B737A7
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://2.56.213.39:81/IRemotePanel

Intelligence

File Origin

# of uploads :

2

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Razy.704823.23067.19179.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Sending an HTTP GET request

Launching a process

Connection attempt to an infection source

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cfac75f3ee6ba6f7816e73908f679a7c185b12044580c1f6b0cbf41dfe74b0f7/

Threat name:

ByteCode-MSIL.Dropper.Azorult

Status:

Malicious

First seen:

2020-07-09 18:29:04 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z6whl47onotppaloooii6z42pqmfweqeiwamd5vqzp2b37tuwd3q._file

Verdict:

suspicious

Similar samples:

1681aa9c53703a91a8feb2296051bffc02763c1663e8e50113d51c4b7cb37378

3690d387e841f98e0a92a700196961b11b717b0f543e601d7e0f6c848cc77bbf

3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd

692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8

aa30299c8266809acb727ef5ec89a80f0cdbcc848550607743f256438f00e398

d0e642197915ade19fb4c2df299063e49ed7f650e4b3b6ee90d4f0d626b900c3

dbbc9e640af23658de56eba2f5ec2152de38fa35f11343f0d2216b8b5d7967a8

ed1a371e8918f6f1dde9fad1e3edb2c984ea3704217e2bca5b2489b61d1bc56e

ee5330d0a01cd004994c5798a3c0c09b160b560e6cdb3f2509b9af2431a0a8fd

f208226c60c95ee10f879f0f38ad9bf85a30fa411d6d20893e9ddaea5a0daf20

+ 70 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

discovery spyware infostealer family:redline evasion trojan

Link:

https://tria.ge/reports/200709-vg81lzdl6s/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Checks whether UAC is enabled

Modifies Internet Explorer settings

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks for installed software on the system

Modifies system certificate store

Reads user/profile data of web browsers

RedLine

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe cfac75f3ee6ba6f7816e73908f679a7c185b12044580c1f6b0cbf41dfe74b0f7

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/24057/

URLhaus

https://urlhaus.abuse.ch/url/408186/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample