MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03ca3c211536cd312b4e46531314c5ad021171026441e99f1d951b9ee8e29e46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03ca3c211536cd312b4e46531314c5ad021171026441e99f1d951b9ee8e29e46
SHA3-384 hash: f098c572520453cc155170b1bb6f870f1a3e68d574d9caec63322662461f7f77d61baf06b41246e6f19b8e8714436746
SHA1 hash: 10a055107d83f9bc7ae5dd0ba6cdb2f368c014cc
MD5 hash: 71b6febdaccea66e739ead121613814a
humanhash: asparagus-carbon-diet-three
File name:71b6febdaccea66e739ead121613814a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'054'208 bytes
First seen:2021-08-05 18:37:50 UTC
Last seen:2021-08-05 21:11:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0T7zT6Ffi0i/75/BH2djXOQ0mp0ptZJKI/W4YtPw72ygbSOTNdj5Ir5ctQfO001K:0T7yFfvi/75/BceQh0nZJKIuPQMTLIl
Threatray 2 similar samples on MalwareBazaar
TLSH T101255CAE365032DFC8A7C872CA581C14F7A4B467534BC743905326ECAA1D9ABCF651F2
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
71b6febdaccea66e739ead121613814a.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-05 18:40:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/11e5ff44-46ec-4b3a-92e4-eca549291fc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176809/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46648394.22458.32661.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba27b3b4-0e2b-4108-95e4-1b97f7fc4a6e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/827634
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03ca3c211536cd312b4e46531314c5ad021171026441e99f1d951b9ee8e29e46/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 00:06:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
32 of 47 (68.09%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
d03c04a685a0a4f735c0456cb4d1073792a19ea0fbf18a0c28d7b445798a4a18
RedLineStealer
d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e
RedLineStealer
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210805-ra7r8c8f62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
03ca3c211536cd312b4e46531314c5ad021171026441e99f1d951b9ee8e29e46
MD5 hash:
71b6febdaccea66e739ead121613814a
SHA1 hash:
10a055107d83f9bc7ae5dd0ba6cdb2f368c014cc
Link:
https://www.unpac.me/results/6aefcf5f-ac88-4a9c-b510-3883252baa7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/03ca3c211536cd312b4e46531314c5ad021171026441e99f1d951b9ee8e29e46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 03ca3c211536cd312b4e46531314c5ad021171026441e99f1d951b9ee8e29e46

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1508974/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176809/

Comments