MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a2a6d1c44faaf913e485ad041724238f793bb57508eb1574b3b07a4931cc8a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a2a6d1c44faaf913e485ad041724238f793bb57508eb1574b3b07a4931cc8a2
SHA3-384 hash: e72049ddae1aa21b48369518908dc85d3193a1cae59a0aac9e8f37583e71dc51d2890e48cad01b3ec0ab52353dc036d3
SHA1 hash: ca544ac39921f1b4a6f557775ef05e78af9fdc81
MD5 hash: 51df217468ed7b0a41324d878fb38944
humanhash: speaker-quebec-pizza-early
File name:PO-2021-UTITECH.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'770'496 bytes
First seen:2021-05-25 06:19:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:GtnKBpZbI0O0MvYzcmiNlUvAWKbqhfG1VxlRk4tVdaMcSGrhZW1gVfDGpc:GqK0TMvVNlUvAjqh8r84LdiBZW1wf
Threatray 2'950 similar samples on MalwareBazaar
TLSH D785AC2F502AF126C168C27D06D4742BED90CFF36131AD25A8D33F991639E4C799E26E
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161637/
Detection(s):
SecuriteInfo.com.Artemis51DF217468ED.1067.24484.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/791911
Signature
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a2a6d1c44faaf913e485ad041724238f793bb57508eb1574b3b07a4931cc8a2/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 03:48:08 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bivg2hce7kxzcpsilliec4schd3zho2xkchlcv2lhmd2jey4zcra._file
Verdict:
unknown
Similar samples:
12f249adf9e96719d8999e5ff16ca67fb252cb38edf05851577a564b3044f987
RedLineStealer
22916cd876516df90c959904823fbc25a331cd7f8e70343cc05f4674128f07e1
RedLineStealer
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
RedLineStealer
69da362bf57fa6f564c65d2df60c41c222c23a5296a8f48efe9e2e72ce58373f
RedLineStealer
79cf1acaf9b7a819bb68f28a23ed571a1cb1e517e09e3dde87614829ae7177d8
RedLineStealer
8c35b3d63f5644c97f5e9a1215ac4d9a4486eb78ff8a1410da52fa6853c99bf8
RedLineStealer
cc4a75a27a80dd0c34ed04f12235a3424715b7c546b530e138b58aaf0af69f90
RedLineStealer
dcabbdbcb25b9663b40e527927ad003ab43726989d5772a9999e4350ca974a6a
RedLineStealer
eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae
RedLineStealer
f6f89449abb24af3cfaf23fb4274541b5ee872a16bb9e6c9fe411e8a557000a7
RedLineStealer
+ 2'940 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/210525-g4saaahkks/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/0a2a6d1c44faaf913e485ad041724238f793bb57508eb1574b3b07a4931cc8a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 0a2a6d1c44faaf913e485ad041724238f793bb57508eb1574b3b07a4931cc8a2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/161637/

Comments