MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 044b42b8f81ceff503fa504db9a10cc09dd22c456b5c79370a2165fe97bdcdc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 7
| SHA256 hash: | 044b42b8f81ceff503fa504db9a10cc09dd22c456b5c79370a2165fe97bdcdc5 |
|---|---|
| SHA3-384 hash: | 69c1238bad37de64a8e9fc1e1c2d534e78c602d51b25c39d2a4eb6924f957f10df97a1aeb10d90490d291ef3efabe7f4 |
| SHA1 hash: | bebae73f2f40491b8b7f3a39d3ef0c382aa994b0 |
| MD5 hash: | ece737e445645e8585e07a592d75cbc5 |
| humanhash: | football-december-hotel-montana |
| File name: | ece737e445645e8585e07a592d75cbc5 |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 855'552 bytes |
| First seen: | 2021-06-30 09:21:49 UTC |
| Last seen: | 2021-06-30 09:50:31 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 24576:T1fw+Jwz/S/6+4ck+lHv0PTMbUkIaMUcf/:Tlw+W7SClcXlH8Ps6Uc |
| Threatray | 6 similar samples on MalwareBazaar |
| TLSH | FA05232022D44460EB75DEBA1DF8D4897571830EFD0AAFA82B41261DC66BB578B3317F |
| Reporter |  zbetcheckin |
| Tags: | 32 exe RedLineStealer |
Intelligence
File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ece737e445645e8585e07a592d75cbc5
Verdict:
Malicious activity
Analysis date:
2021-06-30 09:24:22 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CinaRAT
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
72 / 100
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Verdict:
malicious
Similar samples:
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
77fca82c978e2a4b63f8f1091e2de6b16199899893255768416b50ae07288aba
MD5 hash:
046b1a4457874fdf43a31c04763f4791
SHA1 hash:
f406381b14ab9ec7dddafb599fac06228f657467
SH256 hash:
cca6267b568f92870376ef1c3a91c107516f1296ea79e5e794a4b2fdca0aadd5
MD5 hash:
631039b3ffeb75fdcb426dc9ffb3cab6
SHA1 hash:
dc1ead82032d662c4ae21e0d3cb86001cd36c4dd
SH256 hash:
2be20b5348a0d41536e37ec404796fcdeae42204b8f3768715e1c892b46709c3
MD5 hash:
b36b839940a4e70dd934ece067574b39
SHA1 hash:
d3f953df8255636acc7a23563e54e01b281ba150
SH256 hash:
3ed494b3294cdee38104d514253b2226b1952e063553dfbd50cfee50ab486369
MD5 hash:
899880a18d9719d31bdac6a24d1dced8
SHA1 hash:
d044d85d59733ac4bdc42d5a3f4c776ef1e70d81
SH256 hash:
d299a329f11ba06e00069e5cb32481b20d8fc95033aed1d10ffbccfebbf7532f
MD5 hash:
142fb4e86c736af8e3010a8d9f6c7433
SHA1 hash:
cd8eca761738d71021408ea64e337f3ff86747bd
SH256 hash:
44ea3020fde8a0fe3eedb6bebb23b18511f5de20f3a4aeb950259db833134c75
MD5 hash:
26145adad5b1c414c89deae99fea9d22
SHA1 hash:
ba741f04ef768105bfc2d87621da2b752e88698e
SH256 hash:
126f596f96d60bd6ca0be4f2739d98423e430b6ff2d7bebda4122adb526750c1
MD5 hash:
26132a712e22d8cae8db716922704915
SHA1 hash:
9ed02f67d8507931850d1cf8ed3e7265e33984c9
SH256 hash:
1e0f7b7bc392d4587548b9113c8e917ae4969a0ec59fa47844e67ba575b01922
MD5 hash:
9ea8ca514d64514135095921d0a60dc6
SHA1 hash:
9cb02b0cb15efad12b0fbb943b3fc9406f273491
SH256 hash:
0cbba917d1239aa0bb7d93edb143c340d0ad03d4824f06df4bb932859e76d2b7
MD5 hash:
1f45b6969165fff4fd8f9bd0cacf5713
SHA1 hash:
98197fa1f794de155d01ebbeeb6354ff61ce1661
SH256 hash:
10fd09a41db49a4bb1ec8229977bc808e7d20fed37baec6071598ed5e8bf37a9
MD5 hash:
db811a1847190d80429b8517851ed443
SHA1 hash:
87168d269aec014c65d2e6f305f9533305a76a7b
SH256 hash:
9eda2f6537c4e08be88658a01185b8775ed9eb997ee5e952e84dd4cd04f2af15
MD5 hash:
82b90f2d37b07073edf031af0b6821fa
SHA1 hash:
83ae9fc897c9a7b09f2527c83c9c2c7f6250b220
SH256 hash:
8fd9bbe3aea0555e9eb4f9519ec69f8542646b2123729a2f9e621fc7eded4282
MD5 hash:
5ca00a06e2d3e64295a660c0486d1b42
SHA1 hash:
624d0d8c7ca3eb48d27d9436549972c8c355473e
SH256 hash:
cabf9e38d01ba8cb3aab7dfe5e552ca3d8cc143b781f4fc9aa0def2f51dddea1
MD5 hash:
f3a600b88b5aabb55aa0df501e84a302
SHA1 hash:
58ae68f846c6b356cb3fcb53ac0d770140a25703
SH256 hash:
db0aa38b3920c0778e799fd73e585ba81813a9a2811944425002741881fb1762
MD5 hash:
c7b6ad554119ca07e7ae4db50c8e8f7a
SHA1 hash:
49c66e91ff203b313e7092f1fe4e0da4effdf0aa
SH256 hash:
6e60e54c2b5db5c13179467254fe1c5c3b5c7743b0948c8637c4052039114ade
MD5 hash:
9da5492070082e4cd89ceaea0e8dfc1b
SHA1 hash:
3ec80f455eb8e2c71049f6ac8559079c019222b4
SH256 hash:
360a1a62f45ef318b79bec1867b8dd9a8570bb322b6dee7b7b7c3abe9a96ccca
MD5 hash:
6e1ac64626e122587dc597b5c9d05135
SHA1 hash:
17acff2a4172c00e05fa0dc6d16aef1d8854a0a1
SH256 hash:
890830ed9445fa87f9d9b7b244591b15acfe07e77209f6db0971e41f88c13ed0
MD5 hash:
89377bbffdf08b47c8cb945c84eef0f1
SHA1 hash:
ef44493116fe722e8998f14a4cd0fccb9ff76239
SH256 hash:
33feed5799707c97d6ef4c8ffc75d4a45901331fdd8c181b57806a4e14c0edcb
MD5 hash:
6aac297b1d81943340cd8ca0ef3a7089
SHA1 hash:
d9fada6e1429032a9dedb65783c5d098c5e25c2e
SH256 hash:
c775e237d13f0283bf0e31bb1f41f1b77319ffd67770adf9810e61a5e39c9b10
MD5 hash:
5f312b80e38fc6d8a690435b07f81975
SHA1 hash:
b0c749d3d61f4306cdc0516475390a172c6a12c9
SH256 hash:
52f61322883530a1c3e7c8fe3721ada504ceee810da3622b08fdbe93156d3c35
MD5 hash:
054c982eb40cebc343305c04f95847f6
SHA1 hash:
94771909433ce90215ecd911c185bf502aaaed7d
SH256 hash:
d83762c8c12616b803cc02bbd3619e6e3eeed90994907fd01505a495b23e30eb
MD5 hash:
694e5d1621ed8b45279ecf195b651b59
SHA1 hash:
7b6c28faa92ed474c4e9ab63317f22831ad0efe1
SH256 hash:
f67a09e84d6818cbc85635f44544651149b8658e33178e6f509089f39dd5ac67
MD5 hash:
c53fe4b393450d594e1b35445a7f8e3f
SHA1 hash:
01cf075ef4a3a65077e46ced482291ecc700d1f5
SH256 hash:
044b42b8f81ceff503fa504db9a10cc09dd22c456b5c79370a2165fe97bdcdc5
MD5 hash:
ece737e445645e8585e07a592d75cbc5
SHA1 hash:
bebae73f2f40491b8b7f3a39d3ef0c382aa994b0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_EXE_Packed_Fody |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables manipulated with Fody |
| Rule name: | INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu |
|---|---|
| Author: | ditekSHen |
| Description: | Detect executables with stomped PE compilation timestamp that is greater than local current time |
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.