MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed1a371e8918f6f1dde9fad1e3edb2c984ea3704217e2bca5b2489b61d1bc56e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	ed1a371e8918f6f1dde9fad1e3edb2c984ea3704217e2bca5b2489b61d1bc56e
SHA3-384 hash:	460879f26512be9b9f31fa00bb742a87549e6658a1bf202048308db711c447757916956ea0397da9c2328cd0acfc1796
SHA1 hash:	5f4e91de606bb79eff2f4520ecacaecf550be7a0
MD5 hash:	b00d56d99248f7ae074a2e8aab07c67d
humanhash:	fix-jig-twenty-victor
File name:	b00d56d99248f7ae074a2e8aab07c67d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	20'992 bytes
First seen:	2020-07-08 07:19:20 UTC
Last seen:	2020-07-08 09:46:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	384:CY9P/u08dbTd2zFFemw6lhe1pL7iN3nN4wuCJiB1:fdydSnw6eHPiNdqCI1
Threatray	81 similar samples on MalwareBazaar
TLSH	B5921B2173D8833AC8FF477888EAC2464778D1669A21EBAB1EC4508686576C44F737F3
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://sllennowa.site/IRemotePanel

Intelligence

File Origin

# of uploads :

2

# of downloads :

78

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Spider.1.16958.12637.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Sending an HTTP GET request

Launching a process

Running batch commands

Using the Windows Management Instrumentation requests

Searching for the window

Forced system process termination

Launching a tool to kill processes

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ed1a371e8918f6f1dde9fad1e3edb2c984ea3704217e2bca5b2489b61d1bc56e/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-07-08 07:21:05 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5undohujdd3pdxpj7li6h3nszgcounyeef7cxss3ese3mhi3yvxa._file

Verdict:

suspicious

Similar samples:

1681aa9c53703a91a8feb2296051bffc02763c1663e8e50113d51c4b7cb37378

3690d387e841f98e0a92a700196961b11b717b0f543e601d7e0f6c848cc77bbf

3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd

692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8

aa30299c8266809acb727ef5ec89a80f0cdbcc848550607743f256438f00e398

cfac75f3ee6ba6f7816e73908f679a7c185b12044580c1f6b0cbf41dfe74b0f7

d0e642197915ade19fb4c2df299063e49ed7f650e4b3b6ee90d4f0d626b900c3

dbbc9e640af23658de56eba2f5ec2152de38fa35f11343f0d2216b8b5d7967a8

ee5330d0a01cd004994c5798a3c0c09b160b560e6cdb3f2509b9af2431a0a8fd

f208226c60c95ee10f879f0f38ad9bf85a30fa411d6d20893e9ddaea5a0daf20

+ 71 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200708-jqwd69vs5x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Modifies system certificate store

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ed1a371e8918f6f1dde9fad1e3edb2c984ea3704217e2bca5b2489b61d1bc56e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/408894/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/22933/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample