MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f90e958c973fcc357ea65be93434edbb959327ac3dc399e12de0ccd9cc636349. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f90e958c973fcc357ea65be93434edbb959327ac3dc399e12de0ccd9cc636349
SHA3-384 hash: 109b3df247b0368598a5d6a101219526a716e39b6bca9e481aa6ac3da70e5e1fed8d60c2dee73c6eddc4a74be72c3190
SHA1 hash: 9ad2f6abe6f76193230b2df34c3aef937ce31f75
MD5 hash: ed33df024769400ef3f8e2e40fd39f27
humanhash: salami-eighteen-asparagus-high
File name:MT1031497647449.pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'305'088 bytes
First seen:2023-01-13 13:30:31 UTC
Last seen:2023-01-13 15:37:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:4gq2pQSnIez2Mhpk1/tX0BhzdbPF/pqZkMS:vq2pPthpQ8hzdXqZkb
Threatray 2'231 similar samples on MalwareBazaar
TLSH T13455F8AD736478DFC963C0B9CD64ACA4FA917826D31E0D0B70172097192E643AE95CEF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 34ecccccd4e8f4dc (4 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
133.130.55.60:24092

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
MT1031497647449.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-13 13:33:13 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e12050d0-66c7-457c-accb-c04f959224d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352585/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4303.25523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c15d1aeceae563152cc003/reports/65f2f7fc-9d2d-4ba9-80e0-15b13cd66b94/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a15cc64-3964-408a-8246-0e0f2d9a2665
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151088
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 783819 Sample: MT1031497647449.pdf.exe Startdate: 13/01/2023 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 9 other signatures 2->43 7 MT1031497647449.pdf.exe 6 2->7         started        11 cebroPAEH.exe 5 2->11         started        process3 file4 29 C:\Users\user\AppData\Roaming\cebroPAEH.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpF108.tmp, XML 7->31 dropped 33 C:\Users\user\...\MT1031497647449.pdf.exe.log, ASCII 7->33 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->45 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->47 49 Uses schtasks.exe or at.exe to add and modify task schedules 7->49 13 MT1031497647449.pdf.exe 4 7->13         started        17 schtasks.exe 1 7->17         started        51 Multi AV Scanner detection for dropped file 11->51 53 Machine Learning detection for dropped file 11->53 55 Injects a PE file into a foreign processes 11->55 19 schtasks.exe 1 11->19         started        21 cebroPAEH.exe 2 11->21         started        23 cebroPAEH.exe 11->23         started        signatures5 process6 dnsIp7 35 133.130.55.60, 24092, 49695, 49696 INTERQGMOInternetIncJP Japan 13->35 57 Tries to harvest and steal browser information (history, passwords, etc) 13->57 59 Tries to steal Crypto Currency Wallets 13->59 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f90e958c973fcc357ea65be93434edbb959327ac3dc399e12de0ccd9cc636349/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 13:31:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ehjldexh7gdk7vglputinhnxokzgj5mhxbztyjn4dgnttddmneq._file
Verdict:
malicious
Similar samples:
32551f9124a359edf3435979372676a4c5bbaeb0423cc3ec53d382abb39d850f
RedLineStealer
4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
RedLineStealer
501f2463bdfc1e0260205d87eab7bcfe23254cefb6f43923172bb852cc96b2dd
RedLineStealer
d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d
RedLineStealer
de58c36e0d6373fdba1d14fe4085968e4753ed8d490699b36c7f065a4d9a6ea8
RedLineStealer
ecf0c11ebf5e4d33208470fa906bd052aed3bbb5389b6b5a382b33b8a92cf70c
RedLineStealer
ee1613bb37062a8e65092ec3aad9efc1c21f65732745d5557d255c13d6b28d3f
RedLineStealer
+ 2'221 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mr-moxy discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230113-qsdcnahc29/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
133.130.55.60:24092
Unpacked files
SH256 hash:
eb46c6da218bb131c3fcd985eeefebae4dc196381684cbe1e43e1da6f5328c94
MD5 hash:
410f3e86b4b82f338e2c8c49eb8eca2c
SHA1 hash:
cdaf85b25cd53196ce651fe1d3bee0a60a400b9e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/dcb69568-38b5-42a0-a243-9c360878d0c6/
Parent samples :
f90e958c973fcc357ea65be93434edbb959327ac3dc399e12de0ccd9cc636349
caafa65df4fff5648321d0c3d69b77400b0fd4cb85671ba60b59fa0a2c28caa5
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/dcb69568-38b5-42a0-a243-9c360878d0c6/
SH256 hash:
69e3635c32ab1f34e3220cdb1de4b8cc4b60bd0e6d5258be98352644f2c05af8
MD5 hash:
c3273c5e31b02caec8eb5ff1ab14fd22
SHA1 hash:
369003dcf2a10e6a8e046459f910cda7a2d3771e
Link:
https://www.unpac.me/results/dcb69568-38b5-42a0-a243-9c360878d0c6/
SH256 hash:
f90e958c973fcc357ea65be93434edbb959327ac3dc399e12de0ccd9cc636349
MD5 hash:
ed33df024769400ef3f8e2e40fd39f27
SHA1 hash:
9ad2f6abe6f76193230b2df34c3aef937ce31f75
Link:
https://www.unpac.me/results/dcb69568-38b5-42a0-a243-9c360878d0c6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f90e958c973f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f90e958c973fcc357ea65be93434edbb959327ac3dc399e12de0ccd9cc636349

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352585/

Comments