MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 decd15e2e48ecd6ad7fedaae8e9233c2a8594cd39fd32a2cb12c0fdaba7a1af6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 7 File information Comments

SHA256 hash:	decd15e2e48ecd6ad7fedaae8e9233c2a8594cd39fd32a2cb12c0fdaba7a1af6
SHA3-384 hash:	a54db67a2b0b720091701dacd9d4170cb3f64e8eec718e06e418e93fd630f79ed2cc6bf31157ebafd67a46355ad98d15
SHA1 hash:	de9b84c554edb747fabc338af5cd973efcbd4d64
MD5 hash:	aa3110c2e58c3b7283418ca02ae27aea
humanhash:	cold-pizza-ceiling-indigo
File name:	aa3110c2e58c3b7283418ca02ae27aea.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	6'547'456 bytes
First seen:	2021-10-02 13:45:50 UTC
Last seen:	2021-10-02 14:56:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	196608:ebV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftm:L90jVvBXvoww77rc
Threatray	1'280 similar samples on MalwareBazaar
TLSH	T18C6633C3BBA8BF9DE556D1393210CB446C59E4B122585BFFF44F69A0D6A06F2036CD82
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.38.54.84:44885

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.38.54.84:44885	https://threatfox.abuse.ch/ioc/229746/

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aa3110c2e58c3b7283418ca02ae27aea.exe

Verdict:

No threats detected

Analysis date:

2021-10-02 13:46:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e3f64fd2-d6c7-487f-8746-a9d36a79ee96

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194191/

Detection(s):

SecuriteInfo.com.PWS.MSIL.Stealer.DHCMTB.4788.28624.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file

Deleting a recently created file

Reading critical registry keys

Connection attempt to an infection source

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d64993ae-390b-42e0-af49-c8a50b025b2b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/863187

Signature

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/decd15e2e48ecd6ad7fedaae8e9233c2a8594cd39fd32a2cb12c0fdaba7a1af6/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-09-29 09:34:06 UTC

AV detection:

10 of 28 (35.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=33grlyxer3gwvv763kxi5ertykufstgtt7jsulfrfqh5vot2dl3a._file

Verdict:

unknown

RedLineStealer

1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99

RedLineStealer

368d69f599577877c3dca1b45eae62a7da934b832dc2f3b5dfcf18a99f3600be

RedLineStealer

38582026970861e90f4f3f15da60fa5c8bc8759a2fab6c58a6c262d9096ac1e4

RedLineStealer

4c89265179f2471e24688ac126c541886173be7773617450b0849cb48a5a293d

RedLineStealer

5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303

RedLineStealer

7f614448fc2dadd4bc8a8e495e53d1d05c13d7202eb519b687f9b0c2996b4bef

RedLineStealer

8f5b300680db95b545347229941acb9113690ab187cd7ac7b2cc601b9e31a205

RedLineStealer

93e582393fca866d1291b3852e63dbe2e7a1460e9e2ab3d750083f28f4d04e64

RedLineStealer

9f387190a5ac2872f67933759c544031a1485727d41329d9c4740c2358c54fe0

RedLineStealer

+ 1'270 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

agilenet evasion themida trojan

Link:

https://tria.ge/reports/211002-q2zbgsedb5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

decd15e2e48ecd6ad7fedaae8e9233c2a8594cd39fd32a2cb12c0fdaba7a1af6

MD5 hash:

aa3110c2e58c3b7283418ca02ae27aea

SHA1 hash:

de9b84c554edb747fabc338af5cd973efcbd4d64

Link:

https://www.unpac.me/results/df071464-b317-4140-81bc-1d766edc088f/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/decd15e2e48e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/decd15e2e48ecd6ad7fedaae8e9233c2a8594cd39fd32a2cb12c0fdaba7a1af6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_AgileDotNet Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Agile.NET / CliSecure

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194191/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample