MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd95534ba96dec77e6e6deb7c3d29e34bf0e5941099c13c39b9ced0495c11902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	dd95534ba96dec77e6e6deb7c3d29e34bf0e5941099c13c39b9ced0495c11902
SHA3-384 hash:	fc0ae762e3adc80097558fc2d04235219a974f6f23308d53e13ea04f769572d039f656938e98047ff56c00c723e44512
SHA1 hash:	67954ff475d35b0df508fb78a979ae0611f1e865
MD5 hash:	a0de8959ab1f5b28cb822b3a53c52fda
humanhash:	avocado-spring-vermont-october
File name:	a0de8959ab1f5b28cb822b3a53c52fda.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	32'768 bytes
First seen:	2020-06-25 17:13:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	384:KhAUHBtuDigF/dtXeiOlGvv+VU5oBsrN34REz:GAUHBtuDigF/zXe3lGniU2A14M
Threatray	80 similar samples on MalwareBazaar
TLSH	6FE2F71163DC533BD4EA4F78A6B58741C771FE269922D32E189CA09D0A73B814F12BB3
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://ensaveni.xyz/IRemotePanel

Intelligence

File Origin

# of uploads :

1

# of downloads :

88

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/14476/

Detection(s):

SecuriteInfo.com.Trojan.KillProc2.10993.13286.18781.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Forced shutdown of a system process

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dd95534ba96dec77e6e6deb7c3d29e34bf0e5941099c13c39b9ced0495c11902/

Threat name:

ByteCode-MSIL.Dropper.Azorult

Status:

Malicious

First seen:

2020-06-13 00:00:04 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3wkvgs5jnxwhpzxg3234huu6gs7q4wkbbgobhq43ttwqjfobdeba._file

Verdict:

malicious

Similar samples:

0dece9fdaaf9fca84d4ea64f94e789ee03a7a7e663d138327c662c4fc23aa2bb

116c73aa349f83509f2440164027a89a7654d352231ffe5fbf6ff81e37003b8c

3428e7b4b164f5368a799c3eff77c10ca69508ddca29e5268b238c0018426896

34e142c3ca75844c48639cfc8f60513d23c02a65addef3bce69f5b49b34277a1

366e9022a9fa52f3402d27ae42fd700628363668dc25ed958c8cd648c6e4e08e

3c90e174ff5097d991e0b99001a4e64e0c9e312df0ec03cee51380148974920e

5b5eab7a12fdfc6cc39e39193b7a9020ee46e72acac70033236ef9b6b2da32c7

89f08e47a8ba6e70c1e313ffd49959a5966f07b2ae77f1afead296ff3146c89c

d52bf5a290ca4006cf1a7e2a1e808d20e97dad4ecd577c007359fe964b09ceae

ec837014dcb222fd3780d0730e297c9a09786cc57a42a9da092c9199c1f9660b

+ 70 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

discovery spyware infostealer family:redline evasion trojan

Link:

https://tria.ge/reports/200625-1vq3xkbqxn/

Behaviour

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Kills process with taskkill

Suspicious use of WriteProcessMemory

Checks whether UAC is enabled

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Modifies system certificate store

Checks for installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

RedLine

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/14476/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample