MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2ac4db811f66761b74ca3ee21683086dcbe8d63ad717a1796f0a2845d18179c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2ac4db811f66761b74ca3ee21683086dcbe8d63ad717a1796f0a2845d18179c
SHA3-384 hash: b48c411f5d8970738c7c1128648ca6a247cebe0869d350f101d035ffbca9430bd3710cf2e0191453b02029b2fee5fd8f
SHA1 hash: b69aaf76a379fe05ecda7a908a89e91b08e6cb03
MD5 hash: 03fe0ba790854b4dcb41cec688bf96e2
humanhash: jig-floor-eleven-missouri
File name:03fe0ba790854b4dcb41cec688bf96e2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:585'728 bytes
First seen:2021-06-13 13:40:29 UTC
Last seen:2021-06-13 14:38:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DSo73XmcalveiT25Zbc9fSW0JJBuCnKzZjH2wXLYIwbVC:+T0f
TLSH 7EC42E2825BFC509C4A7EFB12DDC98BBD9A995A3640E713301B9633B4B51794DE0F0B8
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.62:51929

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.62:51929 https://threatfox.abuse.ch/ioc/102058/

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
03fe0ba790854b4dcb41cec688bf96e2.exe
Verdict:
Malicious activity
Analysis date:
2021-06-13 13:42:52 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c5ee3f7e-00c1-4b62-9d41-d1fbbef2de31

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.56065.22464.7571.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Creating a window
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb81cbac-6797-4bc4-9b26-1a4fd8d1d135
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/801321
Signature
.NET source code contains very large strings
Injects a PE file into a foreign processes
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433717 Sample: gixhRGuBh6.exe Startdate: 13/06/2021 Architecture: WINDOWS Score: 60 18 Yara detected RedLine Stealer 2->18 20 Uses known network protocols on non-standard ports 2->20 22 .NET source code contains very large strings 2->22 6 gixhRGuBh6.exe 4 2->6         started        process3 signatures4 24 Injects a PE file into a foreign processes 6->24 9 gixhRGuBh6.exe 15 2 6->9         started        12 conhost.exe 6->12         started        14 gixhRGuBh6.exe 6->14         started        process5 dnsIp6 16 185.215.113.62, 49724, 51929 WHOLESALECONNECTIONSNL Portugal 9->16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2ac4db811f66761b74ca3ee21683086dcbe8d63ad717a1796f0a2845d18179c/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 13:41:09 UTC
File Type:
PE (.Net Exe)
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2kwe3oar6ztwdn2mupxcc2bqq3ol5dldvvyxuf4w6criixiyc6oa._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210613-s8ys655hmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
903ef0ea1c09d586b40e2cddf9a647d64f85f2fbbc6b7dcc8faa3a4d0788fe2c
MD5 hash:
6d8ca781a7b812fc96948813921b04de
SHA1 hash:
7f1206187f847d6e69beb89582975c49cd25ea8f
Link:
https://www.unpac.me/results/dda712e7-7834-40d3-ad90-3b15d28d613d/
SH256 hash:
d2ac4db811f66761b74ca3ee21683086dcbe8d63ad717a1796f0a2845d18179c
MD5 hash:
03fe0ba790854b4dcb41cec688bf96e2
SHA1 hash:
b69aaf76a379fe05ecda7a908a89e91b08e6cb03
Link:
https://www.unpac.me/results/dda712e7-7834-40d3-ad90-3b15d28d613d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2ac4db811f66761b74ca3ee21683086dcbe8d63ad717a1796f0a2845d18179c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d2ac4db811f66761b74ca3ee21683086dcbe8d63ad717a1796f0a2845d18179c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1358576/
  
Delivery method
Distributed via web download

Comments