MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1ff8fc9653175919374088eade3f15aaf022129f0e3d23669717416b7161c72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1ff8fc9653175919374088eade3f15aaf022129f0e3d23669717416b7161c72
SHA3-384 hash: 3d3ef8c2a724007b99105d268f71ea0cd4313629b4b7fd34e6c6f26ff4e4ba8ba1d7d4f30edd0ed41c80b77a7151db9d
SHA1 hash: ede1b28deabaa02cf2c451474d47f867377c81fb
MD5 hash: f70daa663f8f51be5247482fd212d1a4
humanhash: table-mars-gee-quebec
File name:f70daa663f8f51be5247482fd212d1a4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:25'088 bytes
First seen:2020-10-28 10:00:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:Tlh10GJgx9yXawL4QAAaf0YyKpu3P0Kebmy6xFisXBcYYLtnNim:Tr1ZJgxEX4QSf0YyDpG6jis49V
TLSH 57B23A25B7F88335D5AA0B7A0AF8E38111B5A1017412C7DB9DD415E92F733C26A237D7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://138.124.180.19:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/80443/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.58261.18339.10773.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Sending a custom TCP request
Launching a process
Creating a file
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/514898
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 306560 Sample: QdhA0RHgZk.exe Startdate: 28/10/2020 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected RedLine Stealer 2->38 40 Uses ping.exe to sleep 2->40 42 5 other signatures 2->42 8 QdhA0RHgZk.exe 15 3 2->8         started        process3 dnsIp4 28 jvv.nruptm.ru 81.177.135.41, 443, 49719 RTCOMM-ASRU Russian Federation 8->28 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 Injects a PE file into a foreign processes 8->50 12 AddInProcess32.exe 14 23 8->12         started        16 AddInProcess32.exe 8->16         started        signatures5 process6 dnsIp7 30 WHOIS.RIPE.NET 193.0.6.135, 43, 49731 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 12->30 32 138.124.180.19, 35200, 49727 NOKIA-ASFI Norway 12->32 34 6 other IPs or domains 12->34 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 18 cmd.exe 1 12->18         started        54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->56 signatures8 process9 dnsIp10 26 127.0.0.1 unknown unknown 18->26 44 Uses ping.exe to sleep 18->44 22 conhost.exe 18->22         started        24 PING.EXE 1 18->24         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1ff8fc9653175919374088eade3f15aaf022129f0e3d23669717416b7161c72/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-28 09:44:20 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2h7y7slfgf2zde3ubchk3y7rlkxqeijj6dr5entjof2bnnywdrza._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201028-9eqvyfbp56/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d1ff8fc9653175919374088eade3f15aaf022129f0e3d23669717416b7161c72

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/80443/
  
URLhaus
https://urlhaus.abuse.ch/url/759776/
  
Delivery method
Distributed via web download

Comments