MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbbc9e640af23658de56eba2f5ec2152de38fa35f11343f0d2216b8b5d7967a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	dbbc9e640af23658de56eba2f5ec2152de38fa35f11343f0d2216b8b5d7967a8
SHA3-384 hash:	473f9d6c2ad96b30e3622b42a5078c0853fb280e245e6d0103befda6e42ef43a3bedf1b183c5f303a4580819dd466a9b
SHA1 hash:	1e1cdc9cc03c026157bdc5dca1f9c0ee78de71aa
MD5 hash:	84a0f9d46ca77c5ae10713f844cfedbd
humanhash:	asparagus-papa-leopard-wisconsin
File name:	84a0f9d46ca77c5ae10713f844cfedbd.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	20'480 bytes
First seen:	2020-07-07 10:22:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	384:Juj/30m12PjAvdvLpsBdd/zPZ+FSurvYBk8ksOXFGn3KOS+dqJiBg:nm1iUvdzpEMrvYmzdYn6OMIg
Threatray	81 similar samples on MalwareBazaar
TLSH	CB92F82673FC833ED9AB47B4ABB193954770A1965912D76F1CC420E58BA3B800B537E3
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://yntenn.icu/IRemotePanel

Intelligence

File Origin

# of uploads :

1

# of downloads :

82

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Spider.1.7636.22201.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Sending an HTTP GET request

Launching a process

Connection attempt

Running batch commands

Using the Windows Management Instrumentation requests

Searching for the window

Forced system process termination

Launching a tool to kill processes

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dbbc9e640af23658de56eba2f5ec2152de38fa35f11343f0d2216b8b5d7967a8/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-07-07 10:23:04 UTC

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3o6j4zak6i3frxsw5orpl3bbklpdr6rv6ejuh4gsefvywxlzm6ua._file

Verdict:

suspicious

Similar samples:

1681aa9c53703a91a8feb2296051bffc02763c1663e8e50113d51c4b7cb37378

3690d387e841f98e0a92a700196961b11b717b0f543e601d7e0f6c848cc77bbf

3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd

692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8

aa30299c8266809acb727ef5ec89a80f0cdbcc848550607743f256438f00e398

cfac75f3ee6ba6f7816e73908f679a7c185b12044580c1f6b0cbf41dfe74b0f7

d0e642197915ade19fb4c2df299063e49ed7f650e4b3b6ee90d4f0d626b900c3

ed1a371e8918f6f1dde9fad1e3edb2c984ea3704217e2bca5b2489b61d1bc56e

ee5330d0a01cd004994c5798a3c0c09b160b560e6cdb3f2509b9af2431a0a8fd

f208226c60c95ee10f879f0f38ad9bf85a30fa411d6d20893e9ddaea5a0daf20

+ 71 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

evasion spyware trojan discovery infostealer family:redline

Link:

https://tria.ge/reports/200707-mc3fwjpgga/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks for installed software on the system

Looks up external IP address via web service

Modifies system certificate store

Reads user/profile data of web browsers

RedLine

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe dbbc9e640af23658de56eba2f5ec2152de38fa35f11343f0d2216b8b5d7967a8

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/407605/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/22228/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample