MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc075421df7ff3f4be75087516e3a12e75e418dc9600d25066e76fdb72dcdaa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc075421df7ff3f4be75087516e3a12e75e418dc9600d25066e76fdb72dcdaa5
SHA3-384 hash: 63da73ee8e593cb4f5848c73e11b673fe4e6f7073130f732a6ea92f32430a9493ddb4de8f6903de86c56c10466cd283f
SHA1 hash: 6e2585ad8cdd72157236bcb49c8dc2bc94543acb
MD5 hash: d7ea3fda5afa8b48c063216fdbc0c1a3
humanhash: arkansas-social-failed-two
File name:d7ea3fda5afa8b48c063216fdbc0c1a3
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:683'008 bytes
First seen:2023-05-21 22:45:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:C7IYCvLHpF54duG3l3vKtCNPMTyZ2JoSJX0u1v5/:oI3THID3yGPMTyZ2
Threatray 1'547 similar samples on MalwareBazaar
TLSH T18DE4AE2471F94B55E03F97F156A8F92803B274A3A6F9DA250EE1B4CB4E61F001E45F2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
CATALOG2023.doc
Verdict:
Malicious activity
Analysis date:
2023-05-17 02:38:46 UTC
Tags:
exploit cve-2017-11882 loader rat redline trojan stealer
Link:
https://app.any.run/tasks/eedb99c7-6a0f-4aed-96b4-e9803b3982e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.27783.4449.2244.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646a9f2cf6613382080cc396/reports/24e05ed4-d04b-442b-9ecb-2671a15a3b46/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dc075421df7ff3f4be75087516e3a12e75e418dc9600d25066e76fdb72dcdaa5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c0f6fef-b1e0-411b-a1b8-4d8032964e2e
Result
Threat name:
RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1239044
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc075421df7ff3f4be75087516e3a12e75e418dc9600d25066e76fdb72dcdaa5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-17 06:28:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qdviio7p7z7jptvbb2rny5bfz26igg4syaneudg45x5w4w43ksq._file
Verdict:
malicious
Similar samples:
060cbd961bb22ca26578ec782af86ae672f6d39c9e06808889c4ba103a05221d
RedLineStealer
0694057d28dcfe563644c43aa19a08363b7440ea15b28dff3760f7fceab5463f
RedLineStealer
192e207cdd8aa22ef3c05c208f59580976a35c5a3050902b940703cdd7f4c1fb
RedLineStealer
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
RedLineStealer
5aa4e5f27db90a607fd574718308c861585f46b8577136f0dba2ea9390206764
RedLineStealer
7d19949247bbac4098f2d8566166deb54ca3150bc7fb088fed0992f3d16faccb
RedLineStealer
a6bf09d8242fd2933426629a504f995a5d624d555bd2f28a49876762ec0a03a6
RedLineStealer
ca6a6aecce39ebda2e107fbe004eabd01987ef49bc04078d42a566cc517be270
RedLineStealer
e743084d25378307adb39573ea3f1dac734e8179215a962fc2b0d85b50c3db8f
RedLineStealer
ee6eb7d56a2ee539b39d8c06bf3984e7e4ba0a28657463f7827e59e3ef9ae6b8
RedLineStealer
+ 1'537 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:invoice2100 discovery infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/230521-2pyd7sff4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
45.12.253.208:3030
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/c36dca2a-2e74-4346-922a-67d03c3fdaf4/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a7485443b331c2fca54197f53638cb11a8c82bac339b66f35b95d0ad0aceb438
MD5 hash:
dfca41d2838170cb07ef445bb7d9c987
SHA1 hash:
7622672bed23f065cafdf2a17879ebf5926aba8b
Link:
https://www.unpac.me/results/c36dca2a-2e74-4346-922a-67d03c3fdaf4/
SH256 hash:
0ef4a5673ffa38758277b9700d88ca81941921260fdb6c11c6046741348b27c3
MD5 hash:
a09e487e5914d5e57973d17c3f80492e
SHA1 hash:
55e4c83d2667290a3f0f20b576248433daa568a4
Link:
https://www.unpac.me/results/c36dca2a-2e74-4346-922a-67d03c3fdaf4/
SH256 hash:
776a44efcb61ba323c7666332d43b801c094f96b93e0dde4153aad45aafc42c4
MD5 hash:
0da22f4c52801d4d15981d7a7101d0ea
SHA1 hash:
220f85947c19f80a826e9093a0cde79e355fb00a
Link:
https://www.unpac.me/results/c36dca2a-2e74-4346-922a-67d03c3fdaf4/
SH256 hash:
c7cd2ecd410bf09f194383b2ae243e8d31aa7daa775657e7f1561ece4763bb11
MD5 hash:
8aa2e9cd2db0ea575f8355586d22328a
SHA1 hash:
070b0cb32e056b2be44a51a65afc3047a903ad23
Link:
https://www.unpac.me/results/c36dca2a-2e74-4346-922a-67d03c3fdaf4/
SH256 hash:
dc075421df7ff3f4be75087516e3a12e75e418dc9600d25066e76fdb72dcdaa5
MD5 hash:
d7ea3fda5afa8b48c063216fdbc0c1a3
SHA1 hash:
6e2585ad8cdd72157236bcb49c8dc2bc94543acb
Link:
https://www.unpac.me/results/c36dca2a-2e74-4346-922a-67d03c3fdaf4/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc075421df7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/dc075421df7ff3f4be75087516e3a12e75e418dc9600d25066e76fdb72dcdaa5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021
Create hunting rule
Author:BlackBerry Threat Research Team
Description:Detects Unobfuscated RedLine Infostealer Executables (.NET)
Rule name:pe_imphash
Create hunting rule
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe dc075421df7ff3f4be75087516e3a12e75e418dc9600d25066e76fdb72dcdaa5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2638340/

Comments


Avatar
zbet commented on 2023-05-21 22:45:49 UTC

url : hxxp://171.22.30.164/philipzx.exe