MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3
SHA3-384 hash: 496526723bfd9168f251d3c66d40674fa07c8a295222c4ad7b5cc8ee6b53f1ca986947d0baec85012bf5fdc51b124ac5
SHA1 hash: 647210935a57ee45ed6dd384265272e1e6a71b99
MD5 hash: 1d71373adf7d016bca9c36230bac3e08
humanhash: cat-low-golf-zebra
File name:1d71373adf7d016bca9c36230bac3e08.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:556'544 bytes
First seen:2021-08-10 13:47:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:WoMNMgptMA/ZwBW3tOOPQ5zTvwniQinDbie2iN96:QpOmZwBWdr45Hvwnc1
Threatray 485 similar samples on MalwareBazaar
TLSH T12DC4BE22A3E84228F5F70B75BDB451519A77FD9A2A22C71E345C720D0FB378486B2763
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d71373adf7d016bca9c36230bac3e08.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-10 13:55:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e73ef8de-79bd-4576-91a1-1dc48bfa7ff7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177965/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d34666f-2204-403c-b3af-ec325bb0189f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/830368
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 10:36:08 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
09be1d1130ddcf7aa7d321a4c70110c98a344812c818ed0cacfcbab916338034
RedLineStealer
2352a7cd00ed5221c4b807670ca01f49f76beb5dea868d8db38b1fcc0e362c18
RedLineStealer
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
RedLineStealer
4193084a6eba68bbb6aef41ffc1f21685208c6b942de9e5853b70b04834c296e
RedLineStealer
6f14afbba1fb3f07259d7153604a7877f9a0be968b600e2f82b6b491d4e994a6
RedLineStealer
7cde61d40a49c50829fb9219fa8556768d18b9ec7ac362b04880ed7e52528073
RedLineStealer
8501c67f38ab4539d326cf388311519c918d179da7a5b4228af51767d652f4ac
RedLineStealer
b3b54e5b4b3bbaec85cb89db4238cbb040b5f1a6edf4187c0801d338972a230a
RedLineStealer
b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057
RedLineStealer
cb72b73a404d3558ab932a260d7417ca25f4f35327a9407b446ad370ff9a5e1e
RedLineStealer
+ 475 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210810-kxvlkfvzg6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3
MD5 hash:
1d71373adf7d016bca9c36230bac3e08
SHA1 hash:
647210935a57ee45ed6dd384265272e1e6a71b99
Link:
https://www.unpac.me/results/e6d780d2-816f-4ae4-b1ce-21c62f3570e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1478798/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177965/

Comments