MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfead95d7c8a5769d14c2d5cf989237af61be10241de21523f8a955e5b36f1e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments 1

SHA256 hash:	cfead95d7c8a5769d14c2d5cf989237af61be10241de21523f8a955e5b36f1e7
SHA3-384 hash:	1523d6ba2f9a83b29435fcccdb9377e411fc62d68361e1019e269e84d1e9c5e3857210b587abbefc6f4a6c8c2605086b
SHA1 hash:	e1e7b800573cded1cfcbde06b49945c867aad9af
MD5 hash:	536e4abcd95e47970c6dcad2a6a4dec8
humanhash:	jersey-sierra-twelve-angel
File name:	536e4abcd95e47970c6dcad2a6a4dec8
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	98'304 bytes
First seen:	2021-07-29 11:16:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	1536:qHB+zRmEOBSIUoCXWAiMHLVbn27CyJ55xkS2mbf9Bo3dH1PyHddok3LtxbIj8E/J:qwzRmElIUvWAiMHNn27xxZj1UdHty9ds
Threatray	940 similar samples on MalwareBazaar
TLSH	T107A34D28A3AC9B25D2FE477576B011254FF0E18B6012EB4B4ED1B8CB2E76BC235155F2
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

536e4abcd95e47970c6dcad2a6a4dec8

Verdict:

Suspicious activity

Analysis date:

2021-07-29 11:18:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/26b343ff-7186-495a-8b02-f5e4da3c5f52

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/174984/

Detection(s):

Win.Malware.Bulz-9880537-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cf23ddaf-35af-4c5a-8c4c-2fc51ccb48a8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/823753

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Multi AV Scanner detection for submitted file

Potential time zone aware malware

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-20 20:55:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z7vnsxl4rjlwtukmfvoptcjdpl3bxyicihpccur7rkkv4wzw6htq._file

Verdict:

malicious

RedLineStealer

0a57da60edb393260bde08820ab954d33416b778abf9f2a36627e321079afe2e

RedLineStealer

2ab38fdbe562dd5a6be9651562e1523dbf7f3fd7d720d57bc9a25b0e2b665640

RedLineStealer

3eed2868066aee69ca5877fac912a67692f01b2cb2b45a71e9d15f67c1a51a47

RedLineStealer

53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9

RedLineStealer

8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

RedLineStealer

a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe

RedLineStealer

b06a04969f5856d665a1e837f7aed8b1adfca9e44d06e7d5100b8c3adac4df79

RedLineStealer

b5736b6878b89a101d24407f6b25773e4c30755841e6256eae33771192d667e3

RedLineStealer

d4318bfc9c962824b9254a8eecaa7f30c5e6cc3a209a6d8ef84395aeab2403b7

RedLineStealer

+ 930 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@bbakoch

Link:

https://tria.ge/reports/210729-sm4mq48zcn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Malware Config

C2 Extraction:

185.186.142.55:10425

Unpacked files

SH256 hash:

cfead95d7c8a5769d14c2d5cf989237af61be10241de21523f8a955e5b36f1e7

MD5 hash:

536e4abcd95e47970c6dcad2a6a4dec8

SHA1 hash:

e1e7b800573cded1cfcbde06b49945c867aad9af

Link:

https://www.unpac.me/results/6ccaafe9-77b8-4534-b2bb-44fe0446a402/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/cfead95d7c8a5769d14c2d5cf989237af61be10241de21523f8a955e5b36f1e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)