MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0149e8003a47d916adaf2172bccaba933c44f94d8b0e0e145e12b59bd40154a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0149e8003a47d916adaf2172bccaba933c44f94d8b0e0e145e12b59bd40154a2
SHA3-384 hash: 6a00b07eb30badba238f11c3164f1c049e34c1276ab3f92392aa4ba702eef02593921853b491dd1414758cc0a41cfb1f
SHA1 hash: b7ca1503fd260f8421ac5345b5e9e95538620e1f
MD5 hash: 746226fb3bbb9b9cbf9abf0e23ae0e9e
humanhash: batman-autumn-georgia-failed
File name:746226fb3bbb9b9cbf9abf0e23ae0e9e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:501'248 bytes
First seen:2021-07-15 13:57:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:CSt1MKkUOMCl/oRUQUwc9nJ4Cve8G16R3HYFZvYSmEmGiq8xV2:Cg1M3M4oXrCve8G1i+
Threatray 152 similar samples on MalwareBazaar
TLSH T106B47DAE339835AFC77FC476BAA4BC54FB5058A367078E0B418305C9590E9439E85CBE
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
746226fb3bbb9b9cbf9abf0e23ae0e9e.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-15 14:04:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e2913d1-afef-4361-a477-d0506ac2cd8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172010/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.5506.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09325b10-11db-4006-a226-f5d1838b700d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/816959
Signature
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Disables Windows Defender (via service or powershell)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449376 Sample: GOWhKbZr7b.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 64 40 Multi AV Scanner detection for submitted file 2->40 42 Machine Learning detection for sample 2->42 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->44 8 GOWhKbZr7b.exe 3 2->8         started        process3 file4 38 C:\Users\user\AppData\...behaviorgraphOWhKbZr7b.exe.log, ASCII 8->38 dropped 46 Disables Windows Defender (via service or powershell) 8->46 12 GOWhKbZr7b.exe 1 1 8->12         started        signatures5 process6 signatures7 48 Disables Windows Defender (via service or powershell) 12->48 15 powershell.exe 8 12->15         started        18 powershell.exe 12->18         started        20 powershell.exe 12->20         started        22 11 other processes 12->22 process8 signatures9 50 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->50 24 conhost.exe 15->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 8 other processes 22->36 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0149e8003a47d916adaf2172bccaba933c44f94d8b0e0e145e12b59bd40154a2/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 12:53:11 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
02ec84d0b711866766513ad2b97752fe246e00e665e4518afe36260e5fa7b844
RedLineStealer
0e42efb1ea61d5d30ed176723fe7d724138abcf6c0291ced028ffa940171a312
RedLineStealer
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
RedLineStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RedLineStealer
70c6f1b40c8d5d8b46a3601c4c260e14b53e4e59a5d46c0650216cf424f2d7de
RedLineStealer
7d02ae5ae3ed3b7a13ff5495174216ea3195764d7154b8e9b4997c74fd08fb09
RedLineStealer
b30f264fda73db6970c313776095289e5fc0ee77f6be19010e2f9e125205e845
RedLineStealer
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
RedLineStealer
c569b5dd76b6c49a985b6f8dc69d4f7f7f5cc4dc301ea7bc0c80a3a63b7bdaf2
RedLineStealer
f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21
RedLineStealer
+ 142 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210715-ah1tyeadj2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/bd89c193-b647-4d3b-b4cb-4a61ef607bab/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/bd89c193-b647-4d3b-b4cb-4a61ef607bab/
SH256 hash:
7e8e9271ffb43162a4bb118eeb9c632b28362d99746d4b98cbc16a89b5cb73cc
MD5 hash:
30f80760bbc80bb8ae0e93a3ecaa3458
SHA1 hash:
4e45de205ff3a9976c840a7a42013a0da90cca30
Link:
https://www.unpac.me/results/bd89c193-b647-4d3b-b4cb-4a61ef607bab/
SH256 hash:
0149e8003a47d916adaf2172bccaba933c44f94d8b0e0e145e12b59bd40154a2
MD5 hash:
746226fb3bbb9b9cbf9abf0e23ae0e9e
SHA1 hash:
b7ca1503fd260f8421ac5345b5e9e95538620e1f
Link:
https://www.unpac.me/results/bd89c193-b647-4d3b-b4cb-4a61ef607bab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0149e8003a47d916adaf2172bccaba933c44f94d8b0e0e145e12b59bd40154a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0149e8003a47d916adaf2172bccaba933c44f94d8b0e0e145e12b59bd40154a2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948785/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1452906/
Cape
Cape
https://www.capesandbox.com/analysis/172010/

Comments