MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f
SHA3-384 hash:	8fc37bb25c76a96ad42a804bdc106119a0ac76d576c1ec64bc29522035ae969716cd15062c60f9b786fee9a8643abf89
SHA1 hash:	c74e71d69ea9102e2055c9e1ded8d23d29534714
MD5 hash:	f8f394cc62f1da7ee0717ae76fb14d96
humanhash:	white-alabama-delta-india
File name:	f8f394cc62f1da7ee0717ae76fb14d96.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	896'592 bytes
First seen:	2020-10-04 13:46:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:EOP5loM4687ORHVW3SoQ165l9+XW+MmnrHSyAO:EOP5w67fUSc9+XW+M4rX9
Threatray	43 similar samples on MalwareBazaar
TLSH	8115E0613BA5CA60D784193488DB853C13A1DEABB136B3C73F9C766C69722364D427CE
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://moonberry.pk/IRemotePanel

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% directory

Deleting a recently created file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/480870

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Found many strings related to Crypto-Wallets (likely being stolen)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM_3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2020-10-04 12:03:03 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7zakeymbtogb6eyivlpnhv4x7uvn45gcxmr7khpo3rfvwdapfvxq._file

Verdict:

suspicious

RedLineStealer

09cb72a7bbb6ed837874193fcecdc231ed9d87752d1d1f668e7afcb2f10440de

RedLineStealer

3481235147e1800772079eba0f3df848735378b9711d3a11b90141a01de3898b

RedLineStealer

3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5

RedLineStealer

8611b66792009b09d0b2459319d53f4bc276400c55db9ebeb88527526d727156

RedLineStealer

8a6b671ef4fc65efa1bd306da35f4bf2a18814d1ecf0f868ff2f27177fb37809

RedLineStealer

aa10af5c6a92dc01b8ba38871c9a1b111cc36a6e0f6d1a039b5ba624bb700a36

RedLineStealer

ca1104a79514d23f1d60fc6e92e626a6a29c3b217bdf30324237c7d12c5dfb10

RedLineStealer

e38724644ed4643ebcdea6b0ae8345bf094d9f6e6d81b0acb244f96a3129077e

RedLineStealer

f37537ab1a0c2fd830bf2ea03f299ceccf2d1eb5f8c72be80580a680450da4aa

RedLineStealer

+ 33 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

keylogger stealer trojan spyware family:agenttesla persistence discovery infostealer family:redline

Link:

https://tria.ge/reports/201004-hdlhae4qfs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Accesses cryptocurrency wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Deletes itself

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

RedLine

Unpacked files

SH256 hash:

fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f

MD5 hash:

f8f394cc62f1da7ee0717ae76fb14d96

SHA1 hash:

c74e71d69ea9102e2055c9e1ded8d23d29534714

Link:

https://www.unpac.me/results/f6758d7f-6b61-42aa-b717-aa395a32541b/

SH256 hash:

a091225ee7d82f3270df53c21f95efe6422f9e9f42424ad631b563df69af1af3

MD5 hash:

c39b1be117dfe095c11960b0dbfa50ea

SHA1 hash:

14d051bd930e07b35416c383042959a63ac4568e

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/f6758d7f-6b61-42aa-b717-aa395a32541b/

Parent samples :

4bcd16af2791ebba58ab162c928e238197c14735650f73e98fc471ad677ab13a
082f1317f03b76584194dc5b800ed466cc1fbef34ef63a6019c2dc1de47212ed
fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f
551022935cb64a9df1e36625a3be468c99a25086b505a4dba1c533f3f749c7a4

SH256 hash:

01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a

MD5 hash:

eb593633270aa19162cf64663df9dd6c

SHA1 hash:

2ec57181471ff10abe9a04239ca3ea86ea4252b9

Link:

https://www.unpac.me/results/f6758d7f-6b61-42aa-b717-aa395a32541b/

SH256 hash:

2076f24792977d7fc98c2b04a57790899865013be48cc16fed16e1074cbe0a6f

MD5 hash:

ea81561032def5531e6a066118355f30

SHA1 hash:

d0253c47fbf35df6466d15a6855ee61b07c4162c

Link:

https://www.unpac.me/results/f6758d7f-6b61-42aa-b717-aa395a32541b/

SH256 hash:

ba37fc9704c62fa9f6cdea18fadbf3f082817d154ec98c5096c4c9f848740f42

MD5 hash:

8fceec336579b7506834f5c45d41f935

SHA1 hash:

d50a2e480209d6318774cf545aad1326d92737d1

Link:

https://www.unpac.me/results/f6758d7f-6b61-42aa-b717-aa395a32541b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/67973/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample