MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01f61602b5e7f52acc50a13b1a9540a1b72e00726f863a4aabde53ddcaf099a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01f61602b5e7f52acc50a13b1a9540a1b72e00726f863a4aabde53ddcaf099a3
SHA3-384 hash: 9c302395d0da413b5573166f2cbbe77ca721dfbd1b407cfc5881aaf60f9fcc219091fba946c122bb3324cb9b0591821c
SHA1 hash: 1aa9ff53ac669e26ee824c84ccf657845baae7d2
MD5 hash: 83b983dedf71bfd3a8ed9c21d4535faf
humanhash: jupiter-item-king-xray
File name:request 1005211.pif
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:443'392 bytes
First seen:2021-05-12 13:14:51 UTC
Last seen:2021-05-12 14:19:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:CdUGk14WAcAdDYs2rLqv9TA8EjJ0EjzD0NnlmfIAagoC3TkTTITTTOTk1TTTTTTh:CddK4WAcODyWvpA9jTjgnkfIBHQn
Threatray 51 similar samples on MalwareBazaar
TLSH E0948EA6D13849CBE1144EF9BCC9AB621E749FF32F40A14EFB0126361E23754DC87A65
Reporter lowmal3
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155344/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36880352.32042.22300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a window
Launching a process
Creating a process with a hidden window
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/779887
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412286 Sample: request 1005211.pif Startdate: 12/05/2021 Architecture: WINDOWS Score: 96 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 .NET source code contains very large array initializations 2->56 58 3 other signatures 2->58 8 request 1005211.exe 4 9 2->8         started        12 msedge.exe 4 2->12         started        14 msedge.exe 2 2->14         started        process3 file4 30 C:\Users\user\AppData\Roaming\...\msedge.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...\request 1005211.exe, PE32 8->32 dropped 34 C:\Users\user\...\msedge.exe:Zone.Identifier, ASCII 8->34 dropped 40 3 other malicious files 8->40 dropped 60 Writes to foreign memory regions 8->60 62 Allocates memory in foreign processes 8->62 64 Injects a PE file into a foreign processes 8->64 16 wscript.exe 1 8->16         started        19 request 1005211.exe 4 8->19         started        36 C:\Users\user\AppData\Local\Temp\msedge.exe, PE32 12->36 dropped 38 C:\Users\user\...\msedge.exe:Zone.Identifier, ASCII 12->38 dropped signatures5 process6 dnsIp7 46 Wscript starts Powershell (via cmd or directly) 16->46 48 Adds a directory exclusion to Windows Defender 16->48 23 powershell.exe 24 16->23         started        42 84.38.134.105, 1658, 49753 DATACLUBLV Latvia 19->42 28 C:\Users\user\AppData\...\request 1005211.exe, PE32 19->28 dropped 50 Creates an undocumented autostart registry key 19->50 file8 signatures9 process10 dnsIp11 44 192.168.2.1 unknown unknown 23->44 26 conhost.exe 23->26         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01f61602b5e7f52acc50a13b1a9540a1b72e00726f863a4aabde53ddcaf099a3/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 10:19:09 UTC
AV detection:
19 of 47 (40.43%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ah3bmavv472svtcque5rvfkaug3s4adsn6ddusvl3zj53sxqtgrq._file
Verdict:
unknown
Similar samples:
014f64defb76d4f14751fc7352aa2e3f4a9b09e4f2f0e2ef506331fd78eb7636
RedLineStealer
0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f
RedLineStealer
20953019087963bd55f735a4296337bb5f93e1ff5501cdb88c6705c5c414fa5f
RedLineStealer
3f4dc309be69548972299cb0517c884bcb5a472fbf9693ff3d07776c9464af1c
RedLineStealer
7b75ef695dbbd0531edd85679419f9f64e153d8a4f19ac9db0c0a637a2b7bcdb
RedLineStealer
8d33ac3a6ed3e4e8608757bf57424e201c94f5418eb24d7a921fc9116d595c88
RedLineStealer
90c34abc42842c9910a1149103248a108e114624ec9877a092fffadcdf9c54e1
RedLineStealer
9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0
RedLineStealer
9df0a0cb2d01d70a84143dd1c1b0749e5abd2b64546f2706b71da16081e35ecd
RedLineStealer
bf411b461237ce0b5f1cf021af00bf94c0f31a8aac095c9d36581c5095fcc2a7
RedLineStealer
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210512-p7dqqes9fj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01f61602b5e7f52acc50a13b1a9540a1b72e00726f863a4aabde53ddcaf099a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 01f61602b5e7f52acc50a13b1a9540a1b72e00726f863a4aabde53ddcaf099a3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/155344/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-12 14:00:59 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program