MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1818edd71e01521cba21b92633ee893d42b1b6ca5776a745795d78655dd33a8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1818edd71e01521cba21b92633ee893d42b1b6ca5776a745795d78655dd33a8d
SHA3-384 hash: 82bf8fae1c5ed9ad506687de8569b4fa886ba3d0fae8b01375c4f2a2212d2453309db5ec1dfc883b5feaff163b1ecbdd
SHA1 hash: 2079967bc700282082f9471232c06a091438de65
MD5 hash: 22fb54bb17a4164c32f14cca36a83198
humanhash: johnny-july-four-ack
File name:SKMBT_C36021091315307.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:817'152 bytes
First seen:2021-09-13 10:09:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cfn18HbxtB1qHj2DRU3/4krxuBhxl4RwtBlUOcsIz3emek4DbF53e0IUFLNF6t:c/qdtZvkrxuTARwwz3eTi
Threatray 12 similar samples on MalwareBazaar
TLSH T1CD05AE10B9D97317EEE3BF7D499C6C814A5B7D322502989FF4483E8E8632E42AD43725
dhash icon 532c6cd44cc14830 (1 x RedLineStealer)
Reporter TeamDreier
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKMBT_C36021091315307.exe
Verdict:
Malicious activity
Analysis date:
2021-09-13 10:10:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19a03155-841c-46f0-a999-6f7cd2366b1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187414/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19579.11779.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6175000cdb358dd15ed918fe/reports/319dd12a-8d58-4721-9136-2aabe13cb1e6/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5e516617-9404-42d7-bbf6-c441af3746bc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/849652
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1818edd71e01521cba21b92633ee893d42b1b6ca5776a745795d78655dd33a8d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 10:10:18 UTC
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
142483644d21d3bbdde166a2848e7819f91197a51ffdb64567168ec11dd0b321
RedLineStealer
3125dcaa097260cc2c569a569bb1ad45a8bb6a9d60cdadcabda5d5e71157e174
RedLineStealer
67115e6158519fe2fff92209681162667a0caab50be21cf6ac673b8b827414c7
RedLineStealer
6b1f2dd9cc3741ad3b921c8c1eb45de8809a0afd7c87d4a2604d4426b7e679e1
RedLineStealer
b28ddf6937378f3b331f7f19b968e4f0f785d3799aafe32758b6be2496dd6f69
RedLineStealer
ca606d739e04e71a849fa681ec6aeea269d162d24b01aaf96765fca4beafd5d0
RedLineStealer
f830ad148cc49dcd705f421185850e5afe16f448a3f660600f9745be348d1d13
RedLineStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210913-l7djragedk/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a782fceb8b625fe602e05b60dc46a49c14d36abb2d2042679c90a1bab72b55e4
MD5 hash:
62eaae86e81552a1be7e38c03dd00ad8
SHA1 hash:
f13cf2cd94291ff5aec9997762e919e9c5aaf94e
Link:
https://www.unpac.me/results/5bcbb655-f62f-45b2-977e-878552fa59b8/
SH256 hash:
2fd3ee61a56a3166614cfd577d45e78de6b4739b431369e1a750a464a4f583e0
MD5 hash:
aa74ff9effac896567edb647a9a17e32
SHA1 hash:
cda7e7bdbcc6c896e3defb9a762d963ed288ceb8
Link:
https://www.unpac.me/results/5bcbb655-f62f-45b2-977e-878552fa59b8/
SH256 hash:
07434fd730dc41093a6fae24343347d80c7393f68db6f1557945491224b550e9
MD5 hash:
4ad3958bb7d4b1116d4206c4b956d0b9
SHA1 hash:
69cc4681020361b774a4537660ab5e4d42cb9a9c
Link:
https://www.unpac.me/results/5bcbb655-f62f-45b2-977e-878552fa59b8/
SH256 hash:
1818edd71e01521cba21b92633ee893d42b1b6ca5776a745795d78655dd33a8d
MD5 hash:
22fb54bb17a4164c32f14cca36a83198
SHA1 hash:
2079967bc700282082f9471232c06a091438de65
Link:
https://www.unpac.me/results/5bcbb655-f62f-45b2-977e-878552fa59b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1818edd71e01521cba21b92633ee893d42b1b6ca5776a745795d78655dd33a8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187414/

Comments