MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e41edbdfb2f64098382cea28b8069402da3ae4c0e4511fecd81df614c23a31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	d7e41edbdfb2f64098382cea28b8069402da3ae4c0e4511fecd81df614c23a31
SHA3-384 hash:	68340af8e44248630845d13565eef3ec15fe12d5805c5956fa93f62b34fc3bd88c58e6a7f1fac69d53c4afddc72e5495
SHA1 hash:	7d31029b5374fc9637dc0b887c0976d96a49b781
MD5 hash:	a0c2ebdd9f987f5cd0e82d8d5aa9e636
humanhash:	crazy-indigo-juliet-alanine
File name:	QUOTE_98876_566743_233.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	868'352 bytes
First seen:	2021-01-13 07:27:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:Cy5UYanO8UNCHG1jamtUqFu4gDzU6nnjqKoe:cMNYG1jr9/Q9jqKoe
Threatray	71 similar samples on MalwareBazaar
TLSH	A3057D46AFC1C754CBAC21FE2106406527E5CBBAF6DCE71CDA847072AFD696804FD292
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

Malspam distributing RedLineStealer:

HELO: smtp.fuse.net
Sending IP: 64.8.71.14
From: Lydia Yonkers<johnportwood@fuse.net>
Reply-To: lydiayonkers@danaackremannl.com
Subject: Quote Request
Attachment: QUOTE_98876_566743_233.IMG (contains "QUOTE_98876_566743_233.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QUOTE_98876_566743_233.exe

Verdict:

Malicious activity

Analysis date:

2021-01-13 09:13:57 UTC

Tags:

rat redline trojan evasion

Link:

https://app.any.run/tasks/364c7491-25ff-4752-8dda-a217c7db2345

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/111714/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/579961

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses dynamic DNS services

Uses known network protocols on non-standard ports

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected AntiVM_3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7e41edbdfb2f64098382cea28b8069402da3ae4c0e4511fecd81df614c23a31/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-01-13 07:28:11 UTC

AV detection:

15 of 46 (32.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=27sb5w67wl3ebgbyftvcroagsqbnuoxeydsfch7m3ao7mfgchiyq._file

Verdict:

malicious

RedLineStealer

40e054c5c315d144c46e4caab2eb10d61f71c8f3cb97a85e81b96ce6a306463d

RedLineStealer

450f7d91e80c562310d464e2d0cebaa1ca6e0c475b29dda096fdeee69343701d

RedLineStealer

67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679

RedLineStealer

6aae2544784eec2f856dc11effdfd79bf9d02c91df9f0ff7170c042d3ee4f848

RedLineStealer

a8d610f19e96de89a6f0ca74140b1ce763cb5f2cf2755f17ed411f81eed9bf2f

RedLineStealer

b185c97cf356748005cda3b4ccb5a6df0e059c8869ba3b3f33595984bb60f380

RedLineStealer

e10a0b049f468fe1e88dc589c37e6743a248f6f9461f99b0c1ac983694fe958e

RedLineStealer

e82407b9d89827f01c08e482aa0a5808a41a05aecb57c53978dcba6954f77f6f

RedLineStealer

ea817dad9e775458a44b3675cb377d42545005114862f36f6818e5c4dd0bf68e

RedLineStealer

+ 61 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210113-g31w4gm2xa/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

Looks up external IP address via web service

Deletes itself

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

RedLine

Unpacked files

SH256 hash:

d7e41edbdfb2f64098382cea28b8069402da3ae4c0e4511fecd81df614c23a31

MD5 hash:

a0c2ebdd9f987f5cd0e82d8d5aa9e636

SHA1 hash:

7d31029b5374fc9637dc0b887c0976d96a49b781

Link:

https://www.unpac.me/results/00da03af-d14b-4b6f-93d9-151b3981669b/

SH256 hash:

296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5

MD5 hash:

4cf24d41a7882216740280e3294cb853

SHA1 hash:

6bcb31d3dc0a7d71da1067a628168664202769a4

Link:

https://www.unpac.me/results/00da03af-d14b-4b6f-93d9-151b3981669b/

SH256 hash:

13440c6aebabdb008679e5500869e65b81cd9d15cd78b6d89c1f85e2658e6f6a

MD5 hash:

15af5b5537af4d76fe4366c5817a6249

SHA1 hash:

2799b0645dc401537e77b906536ddc3eccc2c3cc

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/00da03af-d14b-4b6f-93d9-151b3981669b/

Parent samples :

0eb70fd1476d81dcf01cef53f0cc4f6eb2718c86722eb8a08667f929a8254430
15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0
ea817dad9e775458a44b3675cb377d42545005114862f36f6818e5c4dd0bf68e
dd364f123e241e6edd773382a05180e538e93eb6d471856f2217422e47526e51
d7e41edbdfb2f64098382cea28b8069402da3ae4c0e4511fecd81df614c23a31

SH256 hash:

34c384dd29f0ef2802c5f474e35704ca237f2e5276e4f5e5ce481b9c985550cf

MD5 hash:

4a91b3eefb1c22b8aa7356a9b9b4169f

SHA1 hash:

3191508f279cec3945bf20857105e0576ea9db06

Link:

https://www.unpac.me/results/00da03af-d14b-4b6f-93d9-151b3981669b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/d7e41edbdfb2f64098382cea28b8069402da3ae4c0e4511fecd81df614c23a31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

img 719e4eb54e56b935ab472d36ae5667a06c7fe1d557fb4bd2efe7414932d9e4d8

RedLineStealer

exe d7e41edbdfb2f64098382cea28b8069402da3ae4c0e4511fecd81df614c23a31

(this sample)

Dropped by

MD5 6c6af576bc251a6b856f070cc6052262

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 719e4eb54e56b935ab472d36ae5667a06c7fe1d557fb4bd2efe7414932d9e4d8

Cape

https://www.capesandbox.com/analysis/111714/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample