MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68
SHA3-384 hash: 00caf468b17c959fe9fdc52dccc614378099811d5bf90fb613b0145e0cd47b2a40af9c57d1ea7375bcdcc980dcb12815
SHA1 hash: f444965d6192c1dd8779665a5ec5f0dbc2e8781b
MD5 hash: 6a30c4f159af10611e8b6780ca7e9fb9
humanhash: ohio-pizza-alanine-oscar
File name:E-invoicing_17_01_2021_804614300125.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:20'480 bytes
First seen:2021-01-18 18:15:37 UTC
Last seen:2021-01-21 16:08:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep 384:9gauRrFsJX/vMiE4YM6ElvZxMklfaF/ImoKPG5qWVVOPU:uauRBsJvJTv7lfYroKo7VV3
Threatray 325 similar samples on MalwareBazaar
TLSH 91924B2273E95739E89E077885FD8A818B34F5589903DB5FACC850965B23F850D133BB
Reporter abuse_ch
Tags:exe RedLineStealer TNT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server40.happybyte.gr
Sending IP: 94.130.204.38
From: TNT Express <info@princelia.com>
Reply-To: noreply@tnt.com
Subject: 电子发票-E-invoicing_17_01_2021_804614300125
Attachment: E-invoicing_17_01_2021_804614300125.cab (contains "E-invoicing_17_01_2021_804614300125.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E-invoicing_17_01_2021_804614300125.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 18:25:45 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2a9d795c-3c2c-44b4-9e69-32ded6edabda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112640/
Detection(s):
SecuriteInfo.com.Trojan.PWS.RedLine.16.10877.30483.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Launching a process
Creating a file
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Sending a TCP request to an infection source
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/584105
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 12:33:17 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rvk66wprmei3uxqupf77vnopzlo2fuav3glf7365s45kz4wz5ua._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1590167d71c9cd4bdacf01d5e56fb3b4315ddaf7ede3dc270de784a7ec12f2dd
RedLineStealer
3ba509359db69542f368af1d41dd8fa1c116e3e31ded1879872bb34a41f9cbbb
RedLineStealer
452413e4c1ae53679f676ea7e97a7f98697ee833896c6119bc6d8bf15cf06fba
RedLineStealer
750fad3db3f495fec07ac204f7e3717e75324ea9beed2fce1c48350015b888c5
RedLineStealer
9753fb15b17d78d8f7793caadf177d71bf6f0a99e490537e768812a835db22fa
RedLineStealer
a990373e6225384bd1bab3441dc0cb881f1e03f51f83f7923ca6c9ff228bee5c
RedLineStealer
b9105cf604b9ad1920c062d8538f8096ea0ab0cfe81a0e8697366726f2b01db7
RedLineStealer
f38a6d59735df60c2612686710b66c44a0042b7df2fe97e048fc6e480ce4848c
RedLineStealer
f9a12bd3805ccb30888cf55b8145dcbdeb64ecab5cc2be9d1ab831585ee2831b
RedLineStealer
fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437
RedLineStealer
+ 315 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210118-mlk9zasqds/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Unpacked files
SH256 hash:
dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68
MD5 hash:
6a30c4f159af10611e8b6780ca7e9fb9
SHA1 hash:
f444965d6192c1dd8779665a5ec5f0dbc2e8781b
Link:
https://www.unpac.me/results/ef165483-24cc-4475-991f-9eae0d9863d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

cab f6a64cd4e4b11b8bd9b8b48915ee43cc600ed17715bd33710502de15a3d7ed74

RedLineStealer

Executable exe dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68

(this sample)

  
Dropped by
MD5 841c7ce6ad618da99ee4159694f286fe
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112640/
  
Dropped by
SHA256 f6a64cd4e4b11b8bd9b8b48915ee43cc600ed17715bd33710502de15a3d7ed74

Comments