MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bde9be8d9036fd9d22b327c9a260d96dbc3e5e805d7836b826df30e2595113f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bde9be8d9036fd9d22b327c9a260d96dbc3e5e805d7836b826df30e2595113f
SHA3-384 hash: 90e1988edfb795d2eb46f8fdcea5eff4524f7a124b4fd1020d7b16570953204d19e088e13c9db0c7ef1ea7af1c200ec8
SHA1 hash: a0e9eebbf2dcf14c94d2b3c32eaef5d8192b654f
MD5 hash: f88c1c3b39298c011ff88b940e80e948
humanhash: ten-mockingbird-dakota-mirror
File name:f88c1c3b39298c011ff88b940e80e948.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:591'360 bytes
First seen:2021-09-27 08:35:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 3072:NkjIeyQcKZhWMK2/+oi6xeWF8v22054ZHBzk794krj:eMe3VZY++oJ8n05MH494
Threatray 1'975 similar samples on MalwareBazaar
TLSH T108C41F394D2682F787EEC66CD08C1BCEDE66A4837B919F1AC496D7D2025B70FE48845C
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f88c1c3b39298c011ff88b940e80e948.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-27 08:51:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/224f43ef-b57a-4f5f-a37a-e984919529fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191989/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1037-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bdb11eb-44c4-4b64-8944-a172cad97101
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/858748
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bde9be8d9036fd9d22b327c9a260d96dbc3e5e805d7836b826df30e2595113f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 08:36:10 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0845d40154d331ca63220f0414c42f86888bec8eb7b23af8b589e8e5a72afd9a
RedLineStealer
1e89ff960f161816b8b30fa8a1c75401cc3b9a7554c99cf9dda142712dd81e54
RedLineStealer
57425bd807dc8979b3087a314082add276d735d7c01306bc2f66bd26c5d802e2
RedLineStealer
5a06b1aee5d39a7c1f86db45aec3215560a5bb3d9e1fab189b18877e3be10e36
RedLineStealer
70def7c02d96cb8aab6702e0d6f32c72d7fafbd2b883e09007de9fe204cd3f59
RedLineStealer
8e6f297527e6eb70b658b01c08cf16d6e88a1d5716eaf2f3162ab5b972112ba9
RedLineStealer
c651e973d7cc7d54b38d45b9c464889778e4262d3dfeb692cd87f0a2fd0d7079
RedLineStealer
c68b5c1b0e8dff309c47ff500389da44e5450b6ee729c000de4643fce7932a2c
RedLineStealer
fc3348044bd74a4b37cfcd56e6bd79932ec1afaae2534cb17d58d6a28172faf2
RedLineStealer
fd1b80b0afe3eb7f567268b2ddb4f022a9ac086d78e836605f378ac63630bc22
RedLineStealer
+ 1'965 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210927-kg44cagbcj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/4ebc062b-a820-4546-8703-87e6c8f4aab8/
SH256 hash:
1bde9be8d9036fd9d22b327c9a260d96dbc3e5e805d7836b826df30e2595113f
MD5 hash:
f88c1c3b39298c011ff88b940e80e948
SHA1 hash:
a0e9eebbf2dcf14c94d2b3c32eaef5d8192b654f
Link:
https://www.unpac.me/results/4ebc062b-a820-4546-8703-87e6c8f4aab8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bde9be8d9036fd9d22b327c9a260d96dbc3e5e805d7836b826df30e2595113f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1bde9be8d9036fd9d22b327c9a260d96dbc3e5e805d7836b826df30e2595113f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1638497/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191989/

Comments