MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3addd4874b4677670bb519bb4c5df6cda360530dd593206922bbca3416b44a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 4 File information Comments

SHA256 hash:	e3addd4874b4677670bb519bb4c5df6cda360530dd593206922bbca3416b44a0
SHA3-384 hash:	133b58ca6946e770b8cb9f9d218812e83610de29150f409175408d6cc150281889e78622ed0b45b8b9884f237ef2723a
SHA1 hash:	26bcb07c82a19996f8af05e7485ecae4c583d935
MD5 hash:	02abf05270db9d010840c9e133aa9934
humanhash:	artist-seventeen-jersey-item
File name:	Quote Request62781838PDF.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	542'208 bytes
First seen:	2021-11-30 15:14:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:0GHiQcv5zBbPA+g+A4Y3bFq0PHtPQCv6nnjqKoe:bHiXtBbPA1+JmNHt4+6nnjqKoe
Threatray	2'548 similar samples on MalwareBazaar
TLSH	T195B4AF877584869CDE7E46F6A213405433E6DCBFD518E30D6FC432975EE6B920822B2B
File icon (PE):
dhash icon	f2909696969ef66e (42 x AgentTesla, 42 x SnakeKeylogger, 13 x Formbook)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
37.0.10.21:34763

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
37.0.10.21:34763	https://threatfox.abuse.ch/ioc/256468/

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Quote Request62781838PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-11-30 15:21:58 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/53ebd400-d0db-43b1-a7e7-56ae9330118e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/209972/

Detection(s):

Win.Trojan.Generic-9907631-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61a63ffabbfd2af97cbcd01a/reports/b117ccaf-bfac-4649-a5a5-e3b569312fa0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/695465c1-3fa5-4a22-b525-4fb5998224a1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/898788

Signature

.NET source code contains potential unpacker

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3addd4874b4677670bb519bb4c5df6cda360530dd593206922bbca3416b44a0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-30 15:15:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ow52sduwrtxm4f3kgn3jro7ntndmbjq3vmtebusfo6kgqllisqa._file

Verdict:

malicious

RedLineStealer

445201065ad563325f43f6f25d6b5ffccb437a6d15d5e43a5cc7d259050d138d

RedLineStealer

48f2f3424044a4751015b2670e5c5b9f4039ad28de0a268132084cfe76437e6e

RedLineStealer

702d02cc220387cd8f2029520cde97bd3879a1e151b198b4e3faea08b808cc9a

RedLineStealer

7c790dc9174daf4135dcfdc30aad3ba8df18fc1cf4ce549c51501fa7eb7be38d

RedLineStealer

d6c6604e4081f2de1edb2ce716ddcc8186f252ca1babc641b83e77fdf14fca7b

RedLineStealer

+ 2'538 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211130-smw9paaed2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

gun12.duckdns.org:34763

Unpacked files

SH256 hash:

d7d5c7a44499fc76c99f7f24b1242c3c2d478fe21a31993a7b95c221effe2d21

MD5 hash:

b55214ff1aec0c44ceff33eeef5f143e

SHA1 hash:

f4e77f771996bc2ee3d4efebe5ee66bd7d4996c8

Link:

https://www.unpac.me/results/c0b6e87d-e08e-45c4-bfcf-01b41441c3e7/

SH256 hash:

a57a75c53ba68f020b25766cce1a686694a6707ac22e168da87fdf3c4aed631a

MD5 hash:

4993a304a671f8c0c19354e0713c9453

SHA1 hash:

a06818bea106e1fba3d758365f06e15cb3ba7f4f

Link:

https://www.unpac.me/results/c0b6e87d-e08e-45c4-bfcf-01b41441c3e7/

SH256 hash:

b19104b568ca3ddccc2a8d3d10ecddb1ea240171e798dc3a486292cfa14b6365

MD5 hash:

7b0900da932f4ed9630d65b04422736d

SHA1 hash:

6fa340436e3a8e73ae2b3e911f861483183c68ef

Link:

https://www.unpac.me/results/c0b6e87d-e08e-45c4-bfcf-01b41441c3e7/

SH256 hash:

e3addd4874b4677670bb519bb4c5df6cda360530dd593206922bbca3416b44a0

MD5 hash:

02abf05270db9d010840c9e133aa9934

SHA1 hash:

26bcb07c82a19996f8af05e7485ecae4c583d935

Link:

https://www.unpac.me/results/c0b6e87d-e08e-45c4-bfcf-01b41441c3e7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3addd4874b4677670bb519bb4c5df6cda360530dd593206922bbca3416b44a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/209972/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample