MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1af0cf5441051d2de05b123c9dfe4a5ebfd368cd6ad0e7ea0556b282c24d4d0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	1af0cf5441051d2de05b123c9dfe4a5ebfd368cd6ad0e7ea0556b282c24d4d0f
SHA3-384 hash:	6fec991a94ca530c9b140f8966959fac5c2077bf68d275a57ea048e8d76d7c39d4af9275c65a360099bdd8f30e56eba7
SHA1 hash:	50ddc5973c49494ad2634a8eda4fba08e2c708f2
MD5 hash:	a4f0737d78567dedb5d5a9125f75ae52
humanhash:	angel-twelve-low-pennsylvania
File name:	Purchase Order.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'404'928 bytes
First seen:	2021-07-29 07:48:11 UTC
Last seen:	2021-08-09 14:39:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:GfS/d3jKzksdks2y8jvV13fZL5ijEAN3XQNABQS6KsE5fzMeIryphW4LF6e8N6Z+:nKADZL0LNHCPOsE9LJh7LEN6ZNg
Threatray	6 similar samples on MalwareBazaar
TLSH	T17755F131898CEF9ADC6803751F4816741EF18CA7E370D5683D8E72F0A5F0925DABA74A
dhash icon	a0a4acecdcf0f0e4 (1 x RedLineStealer)
Reporter	lowmal3
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order.exe

Verdict:

Malicious activity

Analysis date:

2021-07-29 07:55:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0eebee89-fcee-492e-8374-153175ec32a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/174891/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.4876.2442.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cf57220a-8da2-45ed-9a29-2a477d7f3d96

Result

Threat name:

MailPassView

Detection:

malicious

Classification:

spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/823627

Signature

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected MailPassView

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2021-07-29 07:49:05 UTC

AV detection:

9 of 46 (19.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dlym6vcbauos3yc3ci6j37skl275g2gnnliop2qfk2zifqsnjuhq._file

Verdict:

unknown

RedLineStealer

3dc3a009e2f4bdcc2e1844cddc8c3dd6390e264ed3fb6f32e23e2b3fc71deabe

RedLineStealer

539900a999853a6783c7e700987248efd3307604d5ca3cc4bdc3e69cf3489e06

RedLineStealer

70e9f80716b498dda1e37b46aead3813b85cd526317e508fac5eea0e4ced33f3

RedLineStealer

b590b1181625df5cc62b8716449c07faf158411381babca4d22988c5d852aafa

RedLineStealer

c1b451ce8ae3ab62b5cdfd52793c5cf4e57efbc39012c4139d1b8958b202f6d1

RedLineStealer

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/210729-s6rrccjjra/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

CustAttr .NET packer

NirSoft MailPassView

Nirsoft

Unpacked files

SH256 hash:

9703362476b9d349d703e76cb23a8445513367e960b5486bee87fc65010729a3

MD5 hash:

f9cc5038f573c0ca3d31dc39cf6f406f

SHA1 hash:

8ba44d127d9f0eb63492496c73275eafb5d63454

Link:

https://www.unpac.me/results/f1816d11-6f6d-4a91-b77d-8073ed22ebac/

SH256 hash:

538c2f405ec55bc3a797c55b00c619d80d099ad78b7d03710a51fa1ed22ca5fa

MD5 hash:

7d77a882311d45c2a35513e0c534b74e

SHA1 hash:

8aec0a843d43501b7263518da2707fe987d296a6

Link:

https://www.unpac.me/results/f1816d11-6f6d-4a91-b77d-8073ed22ebac/

SH256 hash:

97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438

MD5 hash:

68463851c0e6fe7a254c99fae763d454

SHA1 hash:

4587a5371d88c296a0184fe47ee0c5245b187127

Link:

https://www.unpac.me/results/f1816d11-6f6d-4a91-b77d-8073ed22ebac/

SH256 hash:

9bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2

MD5 hash:

96eaf707a7f5e252e0ef640a9f9a41e9

SHA1 hash:

1db028b8e2dad98ab25abfa498ffd0e344b8178c

Link:

https://www.unpac.me/results/f1816d11-6f6d-4a91-b77d-8073ed22ebac/

SH256 hash:

10f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0

MD5 hash:

3f5aca02abb16dbf86748596e4fa0258

SHA1 hash:

1588bfd4e090d3d194879899c02dcc207d5ca257

Link:

https://www.unpac.me/results/f1816d11-6f6d-4a91-b77d-8073ed22ebac/

Parent samples :

f0e2be29b4f60291bb5e95eb8e23794502c74d7daff6754762ba486cf92f4c4f
4c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
50652d32574ff07ff24c14eacf1170e224d60c19dbd2752672bd2a90901a6667
4e08d3d7a3ecb630ccf016f97a79aab7f44b255484737d574599c25acf0952b2
43e66c483be9cbb9f35ce7f57bf255925abd25a8fc40b80d79bf0cd2a3f54af9
647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
ba02abc98927e0f1cf76a734d5ed290155ac8ab3a2a0f8b665a8a3d459adb805
1f998c6032159b469178389d2cc6debf14c810bd11b3be86a374ee7608d11cac
7a30f11aee32cb6b96651c34349d1d290413c01e3c48e056bc833ca97856730c
b8025d9ec1c56eef774e90a448c30efbeea547ff60cee57169680d832b76b7f4
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f
aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06
91107f4a383ddb76d6fd153077d57c528551ace7385fb10db1bb3e46c3603b62
a9da341d9091c55b477f05cab496d006a58fec6e80eb9e8e86f6bff3d2c3b371

SH256 hash:

432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512

MD5 hash:

09b98d668124d3894814f57e84da1b25

SHA1 hash:

13e3ede7c513d7e6853f99309b83ca01a1de41fd

Link:

https://www.unpac.me/results/f1816d11-6f6d-4a91-b77d-8073ed22ebac/

SH256 hash:

1af0cf5441051d2de05b123c9dfe4a5ebfd368cd6ad0e7ea0556b282c24d4d0f

MD5 hash:

a4f0737d78567dedb5d5a9125f75ae52

SHA1 hash:

50ddc5973c49494ad2634a8eda4fba08e2c708f2

Link:

https://www.unpac.me/results/f1816d11-6f6d-4a91-b77d-8073ed22ebac/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1af0cf5441051d2de05b123c9dfe4a5ebfd368cd6ad0e7ea0556b282c24d4d0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

exe 1af0cf5441051d2de05b123c9dfe4a5ebfd368cd6ad0e7ea0556b282c24d4d0f

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/174891/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample