MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec58fa2d1346060279ee99733d74491fd84964e469fc29973b220915eab5d168. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec58fa2d1346060279ee99733d74491fd84964e469fc29973b220915eab5d168
SHA3-384 hash: b9bda635c05fe4f6c729dfc92a44e30ed724c036569e03bd0729d199e12dd060a75a834bda521d30be335e27108d1c9e
SHA1 hash: dcc903a3400b1127b074ccd15146c41355ae5dc2
MD5 hash: 2150504adf5a9c6d8966bb47de88d4ea
humanhash: delta-illinois-edward-twenty
File name:2150504adf5a9c6d8966bb47de88d4ea
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:99'840 bytes
First seen:2022-06-29 16:52:16 UTC
Last seen:2022-06-29 19:36:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:gDyRQGRn9aqpKzTSmIIVRwSCwwFw30pVxl3R2N67M4X7aE6Xj2uDiywR2H/t:gDdo9alSmIIPwy0pXl3PA4St8Q
Threatray 5'303 similar samples on MalwareBazaar
TLSH T122A39D197B1CEA1DED148676AC37CA652970BC00AE258E97B8C83F6F3C3919C55136F2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 32b998e6e2f775b6 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284335/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bc83aea17f249ae3e6658f/reports/3cc18b63-0bc7-4c91-a8b4-b27b66b1b4b3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVEMARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/641cb574-88eb-4690-8ec1-0801a1da7880
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022051
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 654551 Sample: 7KxCl3xOD3 Startdate: 29/06/2022 Architecture: WINDOWS Score: 100 52 ghahantellorb.com 2->52 82 Snort IDS alert for network traffic 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 9 other signatures 2->88 11 7KxCl3xOD3.exe 16 8 2->11         started        signatures3 process4 dnsIp5 56 tiny.one 104.21.234.39, 443, 49739 CLOUDFLARENETUS United States 11->56 58 www.jollygiunco.com 31.11.32.193, 443, 49741, 49742 ARUBA-ASNIT Italy 11->58 60 jollygiunco.com 11->60 44 C:\Users\user\AppData\...\Shortcuts.exe, PE32 11->44 dropped 46 C:\Users\...\Ttiedsvrhyebneejuffqrpmax2.exe, PE32 11->46 dropped 48 C:\Users\...\Shortcuts.exe:Zone.Identifier, ASCII 11->48 dropped 50 C:\Users\user\AppData\...\7KxCl3xOD3.exe.log, ASCII 11->50 dropped 90 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->90 92 Encrypted powershell cmdline option found 11->92 94 Injects a PE file into a foreign processes 11->94 16 Ttiedsvrhyebneejuffqrpmax2.exe 11->16         started        19 7KxCl3xOD3.exe 4 11->19         started        22 powershell.exe 15 11->22         started        24 7KxCl3xOD3.exe 11->24         started        file6 signatures7 process8 dnsIp9 74 Antivirus detection for dropped file 16->74 76 Multi AV Scanner detection for dropped file 16->76 78 Machine Learning detection for dropped file 16->78 80 3 other signatures 16->80 26 explorer.exe 16->26 injected 54 65.108.27.131, 45256, 49767 ALABANZA-BALTUS United States 19->54 28 conhost.exe 22->28         started        signatures10 process11 process12 30 Shortcuts.exe 14 3 26->30         started        34 Shortcuts.exe 26->34         started        dnsIp13 62 tiny.one 30->62 64 104.21.234.38, 443, 49761, 49764 CLOUDFLARENETUS United States 30->64 72 3 other IPs or domains 30->72 96 Multi AV Scanner detection for dropped file 30->96 98 Machine Learning detection for dropped file 30->98 100 Encrypted powershell cmdline option found 30->100 36 powershell.exe 30->36         started        66 tiny.one 34->66 68 www.jollygiunco.com 34->68 70 jollygiunco.com 34->70 38 powershell.exe 34->38         started        signatures14 process15 process16 40 conhost.exe 36->40         started        42 conhost.exe 38->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec58fa2d1346060279ee99733d74491fd84964e469fc29973b220915eab5d168/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 16:53:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rmpulitiydae6potfzt25cjd7meszhenh6ctfz3eierl2vv2fua._file
Verdict:
malicious
Similar samples:
1894ee1e31d02ce95f3fb5bfaaeade0718232866702e70bd19a70a0a15a3343c
RedLineStealer
68feb6c25b2ce057bdc2c97119f10b980a864b7c3306e785bbbff1ab8ca4197f
RedLineStealer
78ef012bfc38086561885872a68ec92227efa9c233265e68cdd13960a1a46e1d
RedLineStealer
ad8da7f38644aa54c0983c703436a872daecd353e1470e831aa209e0b37f837e
RedLineStealer
aebf6d9977e867fe556ee9be83d75b8a0666bf6953ccc061ac85f690a1f30930
RedLineStealer
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86
RedLineStealer
e4fc635ea1f2fbe988ee1df4535bdd2648eb701f7de8130abeddeb9d17b9bb04
RedLineStealer
+ 5'293 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:binar discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/220629-vdyghabcbm/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
65.108.27.131:45256
Unpacked files
SH256 hash:
ec58fa2d1346060279ee99733d74491fd84964e469fc29973b220915eab5d168
MD5 hash:
2150504adf5a9c6d8966bb47de88d4ea
SHA1 hash:
dcc903a3400b1127b074ccd15146c41355ae5dc2
Link:
https://www.unpac.me/results/7cb5fac3-e693-4ca7-82fe-c7f0173d632e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec58fa2d1346/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ec58fa2d1346060279ee99733d74491fd84964e469fc29973b220915eab5d168

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ec58fa2d1346060279ee99733d74491fd84964e469fc29973b220915eab5d168

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2252498/
Cape
Cape
https://www.capesandbox.com/analysis/284335/

Comments


Avatar
zbet commented on 2022-06-29 16:52:22 UTC

url : hxxp://www.graficadupress.com.br/catalog/model/amazon/images/wam.exe