MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931
SHA3-384 hash: e6435bddb99c2de0f43e0347a07ad4b2e8a1d401ae60b0f65ad46eb4d4aa6e0397f63b21cfcb7ae962acef1588f467ab
SHA1 hash: f975cb02d4f348ae6cd3fd112b746445bd653e87
MD5 hash: 651026d3f1f58ca2718cac5272a53192
humanhash: romeo-blue-two-tennessee
File name:651026d3f1f58ca2718cac5272a53192.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:299'008 bytes
First seen:2020-11-04 06:32:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cf2578a58c9e41f2d3aa14f2cb646ae (6 x RedLineStealer)
ssdeep 6144:ewblJtOhHAtxrhz6wtT29kSlSeHLd89hXCY9b5y3B/isq2:eaTOhHAtCwc/dHLWnya5/s3
Threatray 201 similar samples on MalwareBazaar
TLSH FD54E000BA60D073C21114748856E2B15AAE6C315FBB8A837BEC7F7F6F223D1567A359
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://medavik.xyz/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82176/
Detection(s):
SecuriteInfo.com.BackDoor.Generic12.AOUE.3057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Creating a file
Launching a process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/519817
Signature
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 02:28:35 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xeijmygwvwwawceumezbjlf73mtzo7w2foajrje5zqg7oy5reyq._file
Verdict:
unknown
Similar samples:
05797751460565ee0a402deabba76da1f83e0fb78d929499754d2a35a4bd8fb6
RedLineStealer
0de6a1ed712553ddae4900746e21a45ca09b4d5a02957266f19be6cc2747def6
RedLineStealer
2411f8f013897aa11ca27a8286d3850e10270d9bf7ef1de6ad7294906f03fbd9
RedLineStealer
35b387e25dfb13a3b425438ab49168fd72d4c9c264d6a121a43f1e7387cdadae
RedLineStealer
56f814347c8ec650f905e26cb30343d437b587d8f663ac6bbf4ae4ca483898e1
RedLineStealer
9141d2b51d3f037b46ecee043c700b62a8afa20b80b195b3aa5db28bd82bdcf7
RedLineStealer
95ff18447e18bb805bc805b35c5e9a7d370ef131585fa1df3dd7329f2434f098
RedLineStealer
c9393fcd89b8a47fbf127421c4248c06e202706d65de8d782006637ce5c6778c
RedLineStealer
db7e0d16d32e7f115933695d419b903e24b14b7db4c347ab8380676c663edcb6
RedLineStealer
dd215af644c53afeda830c1cadb562d615a40c3fdb4c541599c68acf3abb1e7c
RedLineStealer
+ 191 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201104-jrxk25dcps/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
b5c5cf604294db0798383a06c5d9d75da79185f2095e2f095be680b5eef955d3
MD5 hash:
0ebf88581234ff258338b4796e7248c0
SHA1 hash:
1e0496e2cb8967b5d2a4b5d51dd4043711d220cd
Link:
https://www.unpac.me/results/ec4496b4-b98f-4b24-95c5-98affbf5ba8e/
SH256 hash:
40872120eefcae36dbaaa687d94a34cc22c1ec687f42f373915c48dbe67a6223
MD5 hash:
f6e7ee5ec3d7ebbcc23630138c66676f
SHA1 hash:
290fcd110ae2b8bbd8287193c30a31327ee01e67
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/ec4496b4-b98f-4b24-95c5-98affbf5ba8e/
SH256 hash:
7dae9baca76fd5bfb3ca88e33296c2a4cbc58e65f6ceb8d757b4dd0f910e03b3
MD5 hash:
8e34cd87ed307e7577ffd747ecc0187e
SHA1 hash:
f85e03efe6a7669d875f8f66ae6cfb94069daa95
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/ec4496b4-b98f-4b24-95c5-98affbf5ba8e/
SH256 hash:
fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931
MD5 hash:
651026d3f1f58ca2718cac5272a53192
SHA1 hash:
f975cb02d4f348ae6cd3fd112b746445bd653e87
Link:
https://www.unpac.me/results/ec4496b4-b98f-4b24-95c5-98affbf5ba8e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/82176/
  
URLhaus
https://urlhaus.abuse.ch/url/759003/
  
Delivery method
Distributed via web download

Comments