MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04acfe31e7bce18de3f9418b74bbe50bb7b6756b76beaef0d73e6557ff7b73ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04acfe31e7bce18de3f9418b74bbe50bb7b6756b76beaef0d73e6557ff7b73ec
SHA3-384 hash: 992c6f10cf91f1c4fef2d4b9e537b88b75092ede1c0e4cadb4cf3e1feebd7e9cd2d4314c6625b3da390973bd7ce34db3
SHA1 hash: e3f179d9d5f279504406ef095652b2e73a614dc9
MD5 hash: 9d8a5a9e34c8f63ac46cf64dbfef0dc3
humanhash: friend-washington-michigan-saturn
File name:PO #900864.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:872'960 bytes
First seen:2021-06-15 14:17:58 UTC
Last seen:2021-06-15 14:53:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EcPc9EuzXvFmWJfkN++ACO7BRuOJ7AiDDkaOQSwYSXMqhYR8Y2mXjLGdT0cV6Zvk:EsOqOfDkTyrXMqh+AT0cV+quPHpVa68
Threatray 314 similar samples on MalwareBazaar
TLSH AB05BE522E98AB89F4F95B71BDE0832603F77D127B27D7C96E8471CD2863E808761742
Reporter GovCERT_CH
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO #900864.exe
Verdict:
No threats detected
Analysis date:
2021-06-15 14:20:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fac10b9e-2514-4fa3-9abd-9827001adcd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.2220.32337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7735e96-39c6-46a4-b137-b500373e18d8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/802503
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04acfe31e7bce18de3f9418b74bbe50bb7b6756b76beaef0d73e6557ff7b73ec/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 11:06:55 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aswp4mphxtqy3y7zigfxjo7fbo33m5llo27k54gxhzsvp733opwa._file
Verdict:
unknown
Similar samples:
058d5fa44050ac0a0544a77a57785ea08fa963b205a0cd9fae4538f8f4cc0ae5
RedLineStealer
2e826b4ff8b272db629c4983e9edd53656cc4a2e9d24178ebd2b6a8890d1e864
RedLineStealer
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
RedLineStealer
31f7d71ca24fbde43953ebf5e0518c065b795cef8e7b021ca7fbf31a06ce9348
RedLineStealer
8bf0629c5fa2fc821172ac5131d559debbffd89ed9cdcaa2e3963dbb67d2f734
RedLineStealer
acc92fd3a929ed4c52b41547b60563cd68b73701998071c3653424df8f51a474
RedLineStealer
c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872
RedLineStealer
d60e5c1906d5a872d5342c64ab76b0417420c6324c495629be60fee5fcce1f2b
RedLineStealer
de2e00592af25f6033e0b10dbf2974b1e482ad117118cb726892a89acf2cd47b
RedLineStealer
f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147
RedLineStealer
+ 304 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210615-7pbthc8pa2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
82fe42ffa7c2160c4ba79b666ba52f6dce210e0be5cbbb1419ddf3058215568b
MD5 hash:
a7c717e07a9e8fc3408914687859cf8a
SHA1 hash:
862f0e3f4f99c7674a540327ba08792e8a6cf5a1
Link:
https://www.unpac.me/results/97c2da79-a056-4d25-9e37-e24ae26c4a03/
SH256 hash:
04acfe31e7bce18de3f9418b74bbe50bb7b6756b76beaef0d73e6557ff7b73ec
MD5 hash:
9d8a5a9e34c8f63ac46cf64dbfef0dc3
SHA1 hash:
e3f179d9d5f279504406ef095652b2e73a614dc9
Link:
https://www.unpac.me/results/97c2da79-a056-4d25-9e37-e24ae26c4a03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04acfe31e7bce18de3f9418b74bbe50bb7b6756b76beaef0d73e6557ff7b73ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 04acfe31e7bce18de3f9418b74bbe50bb7b6756b76beaef0d73e6557ff7b73ec

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments