MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03031069effcc682a77ef6309fa1cea1ea2393dc4e385312952ca9b245ec4a09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03031069effcc682a77ef6309fa1cea1ea2393dc4e385312952ca9b245ec4a09
SHA3-384 hash: e39f54f1c3da722f9e091d03dc7fc6b67fdf2e86c3ee116155978b7e8de99875cd4b4e2762c9e48d5148ac3805c75fcf
SHA1 hash: 05f5cb37f4d377af8cb625b692fa35f76e1523ca
MD5 hash: fbe8527fb051e524feba08f22f1ec148
humanhash: cup-foxtrot-pluto-fix
File name:SKBMT_May Purchase Order 5870Z904_ PDF.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:730'624 bytes
First seen:2021-05-10 12:27:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:pORak+kHVChgsrj3fm5PritcV+tLHFGSeMOOy8seMsPgOf0k5:p0a6sFjv0TIHFGV/b8seDgOr
Threatray 146 similar samples on MalwareBazaar
TLSH C5F4BF2DB5947E10EABD0E3FC5A5A16080FEED065D17D66E48F03ACCACB77A8D41160B
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154024/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/777347
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03031069effcc682a77ef6309fa1cea1ea2393dc4e385312952ca9b245ec4a09/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 11:55:50 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ambra2pp7tdifj366yyj7ioouhvche64jy4fgeuvfsu3erpmjieq._file
Verdict:
unknown
Similar samples:
04c9ccc533b33d9eaa98a4f82f32bcd142c1228492d195ab5335c094643b7a7c
RedLineStealer
1fc85978f3b776d0bd7abebdc302641a3da45ba768428134df4acdc622fd5f86
RedLineStealer
33378b4ff2e8e5d64380bf24d787e4cae639cd41ceafbeeff82d7cf7a74be69a
RedLineStealer
6d006ec6fb6d8741a3dc50c6f0131eb90bacbb9c49b60f02e1be2049aa4f2255
RedLineStealer
a288764c9f223354f3e0665d41632b84f52db509f9b533a4ba955d6cfb5cc11b
RedLineStealer
a4f9a06d39f0b20bb9e04aab75db64d3cf18ee2025a890471536415b6f18fcd3
RedLineStealer
cdea1065a53de4df5948c4ddb1746c4f0be7311db2dbc152b34951b65417af21
RedLineStealer
e431da31eb509224ab13458b7f50a92f3a2f41cf01c8014f69f0eaf9339ab9e4
RedLineStealer
f5275c37ab60185f4fb3348905093f9ad7e08b3719ab008a9f2193a7f6e4e537
RedLineStealer
f5a3c92032bc45af8e374b619a5b6d046e6c3eadc83dc84595bffc4d6acab717
RedLineStealer
+ 136 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210510-8mabs1cp7j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/03031069effcc682a77ef6309fa1cea1ea2393dc4e385312952ca9b245ec4a09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154024/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-10 13:32:43 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing