MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a4b10002c1fa242cefd6fef0eb3278c550700016013275ea8c48819e163a534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a4b10002c1fa242cefd6fef0eb3278c550700016013275ea8c48819e163a534
SHA3-384 hash: 98cbf6bc984d84f95e751098216bce519296d12dbe2639ae77c36ed18d10cd37318555bdae03f5683674e96bed12de5c
SHA1 hash: eacc7e8890f46cb8c087bceb861ca4a88b025473
MD5 hash: 3d33985d5a740f7841ddc28116097246
humanhash: mango-orange-happy-video
File name:3d33985d5a740f7841ddc28116097246.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:138'240 bytes
First seen:2021-09-23 06:21:07 UTC
Last seen:2021-09-23 07:23:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 1536:x27i+rrJh+ja5ez/PivlxQyFIicTgL8+op:I2+rbouez/6TFWkdop
Threatray 1 similar samples on MalwareBazaar
TLSH T1F4D39377006594A6C5B82334E4654F0B7EACDE240E40B5DCB04BB2FADD3DA5D8EF86A4
File icon (PE):PE icon
dhash icon 0060701818706000 (3 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3d33985d5a740f7841ddc28116097246.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 06:23:02 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/1c3bceab-4ee7-4613-8768-8acb6c1fd6e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190500/
Detection(s):
SecuriteInfo.com.Variant.Bulz.719529.17470.23562.UNOFFICIAL
Create hunting rule

Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75f8a71d-68d4-4d25-bd24-d849fac241c2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/856458
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a4b10002c1fa242cefd6fef0eb3278c550700016013275ea8c48819e163a534/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 06:22:07 UTC
AV detection:
17 of 44 (38.64%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210923-g4xq1ahffk/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
c53cc18e11ef7eaa70508a5ecb93195488a096dd0a28938dbd5576fae84f9d63
MD5 hash:
024a19b30949425cfa32e410bcea447b
SHA1 hash:
3780f359f201579bb4f406779f5fbdd4fe14c437
Link:
https://www.unpac.me/results/008ec129-e3a9-4bd6-a3df-05eb144ad9a9/
SH256 hash:
0a4b10002c1fa242cefd6fef0eb3278c550700016013275ea8c48819e163a534
MD5 hash:
3d33985d5a740f7841ddc28116097246
SHA1 hash:
eacc7e8890f46cb8c087bceb861ca4a88b025473
Link:
https://www.unpac.me/results/008ec129-e3a9-4bd6-a3df-05eb144ad9a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a4b10002c1fa242cefd6fef0eb3278c550700016013275ea8c48819e163a534

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0a4b10002c1fa242cefd6fef0eb3278c550700016013275ea8c48819e163a534

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1629282/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190500/

Comments