MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025
SHA3-384 hash: 4d7d62a5c3946d74deb7c2c3d98dc7c3033f6f41c311375572876efd28df354a87d819297578c25a91580e273db27bf5
SHA1 hash: abbb71291df7529f46f8d5896f1bb60e2a4afc21
MD5 hash: 30a35b83c44aba13ee4ea4ee11003419
humanhash: california-mockingbird-tennessee-violet
File name:30a35b83c44aba13ee4ea4ee11003419
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:96'104 bytes
First seen:2021-12-18 07:23:58 UTC
Last seen:2021-12-18 09:47:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (724 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 1536:K/T2X/jN2vxZz0DTHUpouMJbPxxE+1fHWUyRCEBaOoqhkG6owwDQCGgVOP:KbG7N2kDTHUpouMJbPxPfHryBa7JNVwk
Threatray 8'288 similar samples on MalwareBazaar
TLSH T1B193E1106BA4D467E9B24B312D706B678FBEF92426705F4B03501E9D7E323C2DA6E361
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:RDVINSGLASSENES
Issuer:RDVINSGLASSENES
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-17T11:51:51Z
Valid to:2022-12-17T11:51:51Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 8425146360dca3e16f58ec37f105ac01a88d202a6a89685c900bb42489277395
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Spotify email checker.exe
Verdict:
Malicious activity
Analysis date:
2021-12-17 23:23:54 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar
Link:
https://app.any.run/tasks/e5cdfb1c-b3ff-497e-9dc0-bf6f63881885

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.27598.21293.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2443/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61bd8c95ec6c6c14a9df5b68/reports/57fd8c1b-5bc3-4c8f-a0ee-9bcf003d686f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04d2a63a-d37e-487e-b4cd-7f9b3543e92d
Result
Threat name:
GuLoader RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909452
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected GuLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025/
Threat name:
Win32.Trojan.Shelsy
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 06:03:12 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73qqdg5jyxksffyx7bsmlxeodnerkcymjw4d6srmtm3nkhvqgasq._file
Verdict:
malicious
Similar samples:
125fdd6ece6bef31be73fa219aebd74708a750bddc944ea481bb07f7fa7ceae9
RedLineStealer
2fcd3f1ea4b954477eac45ea5c9174cf4a3195137d33504d7532715da3477e9a
RedLineStealer
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
RedLineStealer
80509073506573641c7e354f276c7968015a01e52a23c506a7fe484a68891915
RedLineStealer
84bbdc0b303d03c1ef4ee6d48dedd94181d8fc5650a20b557a555b0917aaf879
RedLineStealer
c6f93eb69924750adbe61115b2d6a200d534e783c6bd4ca0e2c0cd2969e9469e
RedLineStealer
ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677
RedLineStealer
+ 8'278 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:redline botnet:private_6 discovery downloader infostealer spyware stealer
Link:
https://tria.ge/reports/211218-h8dpcseee2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
RedLine
RedLine Payload
Malware Config
C2 Extraction:
194.26.229.202:18758
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/dcdf55cb-4ea1-4ea2-9413-4f2ffd2191ea/
SH256 hash:
fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025
MD5 hash:
30a35b83c44aba13ee4ea4ee11003419
SHA1 hash:
abbb71291df7529f46f8d5896f1bb60e2a4afc21
Link:
https://www.unpac.me/results/dcdf55cb-4ea1-4ea2-9413-4f2ffd2191ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1895255/
Cape
Cape
https://www.capesandbox.com/analysis/214936/

Comments


Avatar
zbet commented on 2021-12-18 07:23:59 UTC

url : hxxp://185.112.83.8/install6.exe