MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aa7e747c61a836ade8d1840b7e5b27c6758b4874fce321bb6705beb86ae3f09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aa7e747c61a836ade8d1840b7e5b27c6758b4874fce321bb6705beb86ae3f09
SHA3-384 hash: ef5b10ab326d24d5a96bc215af850a0b6e0f6ea2d1ff1b2a2aa77c8b3c94b75747dad77a04c72765157b29cca48a7d4b
SHA1 hash: 106050ec36cd920655f699eb190a3f66f3a8fc92
MD5 hash: 77b27b5c8212775a5478981c6c240abd
humanhash: cola-nebraska-one-item
File name:77b27b5c8212775a5478981c6c240abd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:933'544 bytes
First seen:2021-08-22 06:29:46 UTC
Last seen:2021-08-22 07:59:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:iVLFvth+w7GodQpbelTZ88o0FmLYF3Bc8JEYbd0B3EsjDVvwrwiZaYh/wN6v72p8:ivv/Nv+kTK8ovLYjc8PiB3B1iaYh/Pr
Threatray 60 similar samples on MalwareBazaar
TLSH T1AB15BF1477C48A21C97A0271AD38F4C8EBF9A9236105A69934CC7DFB1F33BC146A7766
dhash icon 71f0c08888c0e070 (9 x SnakeKeylogger, 9 x AgentTesla, 8 x AsyncRAT)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
77b27b5c8212775a5478981c6c240abd.exe
Verdict:
Malicious activity
Analysis date:
2021-08-22 06:31:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3c837e6-20ad-4cdd-b175-f09bfb902c1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181171/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46768571.12131.18558.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f870c2eb-56a6-4cb0-a7ff-f5af55bbf681
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/836956
Signature
.NET source code contains potential unpacker
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses powershell Test-Connection to delay payload execution;
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469386 Sample: EV8f1zLA2k.exe Startdate: 22/08/2021 Architecture: WINDOWS Score: 76 32 Google.com 2->32 46 Malicious sample detected (through community Yara rule) 2->46 48 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 2 other signatures 2->52 8 EV8f1zLA2k.exe 3 2->8         started        signatures3 process4 signatures5 54 Uses powershell Test-Connection to delay payload execution; 8->54 11 powershell.exe 19 8->11         started        14 powershell.exe 17 8->14         started        16 powershell.exe 16 8->16         started        18 3 other processes 8->18 process6 dnsIp7 34 Google.com 11->34 20 conhost.exe 11->20         started        36 Google.com 14->36 22 conhost.exe 14->22         started        38 Google.com 16->38 24 conhost.exe 16->24         started        40 192.168.2.1 unknown unknown 18->40 42 Google.com 18->42 44 2 other IPs or domains 18->44 26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1aa7e747c61a836ade8d1840b7e5b27c6758b4874fce321bb6705beb86ae3f09/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 23:20:00 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
081d4cc20e46574bc49b49558940371ce6b0a037d61ee2915e3a16f588de4eb8
RedLineStealer
2879bac33326dbd49d0af29893f110eab577cdf9f741e025c03dcbdde467028c
RedLineStealer
503daa99af5a571e42bba412296ce3f6e086ce203359cb27f7d04442d10b2999
RedLineStealer
6ffa008d9c18433dfb729075105f7837874da4b96d22c7718f360558f9aeaa0a
RedLineStealer
a024f189799cced8d2b2b164f4cc73b0eb9e12784bc977f182175bb61c17a171
RedLineStealer
fae536169514c5730e6d6d6a582fb988341edd4cc1a62b5a2f172e87dd1708c5
RedLineStealer
fb416672e7ef0f01a189765395e9c87a44de01f41f4df96c871a267fea65cb87
RedLineStealer
+ 50 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210822-hcdvx384je/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
68df44ff14b7ed969787e95e007c5dc8734c3e00a586ae3a4b6962bcfe38d1d3
MD5 hash:
2a2f00642da641cd75828922e318c61a
SHA1 hash:
81d38d6abdc6a837fdec0fc4f2e10a9e22940549
Link:
https://www.unpac.me/results/7a05792c-551c-4ea4-b193-beb59d16f4aa/
SH256 hash:
1aa7e747c61a836ade8d1840b7e5b27c6758b4874fce321bb6705beb86ae3f09
MD5 hash:
77b27b5c8212775a5478981c6c240abd
SHA1 hash:
106050ec36cd920655f699eb190a3f66f3a8fc92
Link:
https://www.unpac.me/results/7a05792c-551c-4ea4-b193-beb59d16f4aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/1aa7e747c61a836ade8d1840b7e5b27c6758b4874fce321bb6705beb86ae3f09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PowerShell_Caret_Obfuscation_2
Create hunting rule
Author:Florian Roth
Description:Detects powershell keyword obfuscated with carets
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181171/

Comments