MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6060fc07a8d995ef6139b2818bfc188a06c5d8a506a7450acd1c558ef92d404. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6060fc07a8d995ef6139b2818bfc188a06c5d8a506a7450acd1c558ef92d404
SHA3-384 hash: 13765208f4ed0459a4c21dcb0f8f2daa14364b4a9eef14a2a36f291ee8e38f4f65ff29b5aae62398ef35e343a98bc852
SHA1 hash: 360f131fcce1b7081ad4e99d7aea2facb558d296
MD5 hash: 5f367bf8b0c6b4b567f8766961a5921c
humanhash: dakota-red-angel-fourteen
File name:5f367bf8b0c6b4b567f8766961a5921c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'322'736 bytes
First seen:2021-05-05 13:21:32 UTC
Last seen:2021-05-05 14:03:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'636 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:2GT3uAhgsIUoLAIRPSNbl5ZyO4Yr5fZfw:2GT3utPS9ZT4+a
Threatray 320 similar samples on MalwareBazaar
TLSH 4255819C325031EED467DAB69BE86C24E6203876572F410B921323FD9A1EE53DF245E3
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150624/
Detection(s):
SecuriteInfo.com.Malware.AI.3818671168.5773.5230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6060fc07a8d995ef6139b2818bfc188a06c5d8a506a7450acd1c558ef92d404/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 13:22:08 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yda7qd2rwmv55qttmubrp6brcqgyxmkkbvhiufm2hcvr34s2qca._file
Verdict:
malicious
Similar samples:
0c12eec00f01190811ea2908499be0a7bbcc290dc1112a83b633de60f909fa20
RedLineStealer
1efeb065915f4f4dc1a53837ef5f428b4c73d27fb30086ccb8d792d2f68295a4
RedLineStealer
3aca76d7bdd23aa701fffa2994e4b9438439056ad0317b78f6c7251b3fb9f2c5
RedLineStealer
5312f25b2ddb5ca623a0b4aa73a43af58c217646afacf4dbd2995dacafa80c77
RedLineStealer
586871a8aa5c08be02631a432daa373d9e40fdd0dd53b80f0210f53b41dbbfb3
RedLineStealer
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
RedLineStealer
b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5
RedLineStealer
c89928a29ebf0c8c2acd7d9a457236e15d1a604d5c892ec5d750d94e68e4c108
RedLineStealer
dd4a98c54832ec6b61160f7c214af65f476cc75659fc3ea0add868373022031e
RedLineStealer
fe28808f8b07b484ff987a1ccc2f187857139e84d58dfbbb8004ce29f21bf1ea
RedLineStealer
+ 310 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210505-9babrbp8mj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/49241618-afb9-4059-a629-ba8e126f52e5/
SH256 hash:
784c9ed254cd024a044f97c007182efa0667880cc51a25c8ec66892d9bed1dc1
MD5 hash:
c87d7ee32b519a770b2ab2d104791def
SHA1 hash:
a23eb03a27139cee07007e8371dac9480a247b1f
Link:
https://www.unpac.me/results/49241618-afb9-4059-a629-ba8e126f52e5/
SH256 hash:
a8d85841066da12309b54125f09bd6f57dc0db418aadf799ebc118a32a25d8f2
MD5 hash:
1d8acd46eab8ae1dba75e199b77425b0
SHA1 hash:
7ca1ced0b39cae7cbfe96b68af9126c5da53d956
Link:
https://www.unpac.me/results/49241618-afb9-4059-a629-ba8e126f52e5/
SH256 hash:
d6060fc07a8d995ef6139b2818bfc188a06c5d8a506a7450acd1c558ef92d404
MD5 hash:
5f367bf8b0c6b4b567f8766961a5921c
SHA1 hash:
360f131fcce1b7081ad4e99d7aea2facb558d296
Link:
https://www.unpac.me/results/49241618-afb9-4059-a629-ba8e126f52e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6060fc07a8d995ef6139b2818bfc188a06c5d8a506a7450acd1c558ef92d404

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:pe_imphash
Create hunting rule
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d6060fc07a8d995ef6139b2818bfc188a06c5d8a506a7450acd1c558ef92d404

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1104214/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/150624/

Comments