MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 280626c6a1b49b72197144e8b287544f316ffb82fbc6133c1cc51d4f77437660. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 280626c6a1b49b72197144e8b287544f316ffb82fbc6133c1cc51d4f77437660
SHA3-384 hash: 939f363c8be94e24b1eab0ad908aaf8e2f44cc6b984b8bb5ca7136b9a4bb6f0decdb05d6bec526c82908f5c610f874ec
SHA1 hash: 476a107fda4f09e656b602012639ff99672af1f1
MD5 hash: 6790916fad4f73875682a0609b1e2f05
humanhash: delta-vegan-double-oven
File name:6790916fad4f73875682a0609b1e2f05
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:272'368 bytes
First seen:2021-06-15 01:06:14 UTC
Last seen:2021-06-15 01:46:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:aWNIO9/Wv5P15epIUQamGY7Pyx7cSd3iYUimW/U1:aWR8D5excmx735iNv6U1
Threatray 92 similar samples on MalwareBazaar
TLSH C944F1A696C7A101D8854FF16DC18C6AB4FEE7900E3F19E778072D2FCD09A8FD612225
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6790916fad4f73875682a0609b1e2f05
Verdict:
No threats detected
Analysis date:
2021-06-15 01:08:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78c4202a-a06e-4791-a662-189f0437b251

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Bulz.515919.10418.22068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e33329a4-8fcc-4257-99c0-7a0159fc9442
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/802071
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/280626c6a1b49b72197144e8b287544f316ffb82fbc6133c1cc51d4f77437660/
Threat name:
ByteCode-MSIL.Trojan.Dnoper
Create hunting rule
Status:
Malicious
First seen:
2021-06-14 16:07:57 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fadcnrvbwsnxeglritulfb2uj4yw764c7pdbgpa4yuou652dozqa._file
Verdict:
suspicious
Similar samples:
08c7314bebaa8766553ecedf92db572d0c434168dd9721967c9d11a48ca4e679
RedLineStealer
322693742e28ff77ebb62328e953e9898136745be8d9b25b67352201493248aa
RedLineStealer
3390c123938c77d21a6ae1dc750265427ea0fb5f5dd3571a9f2dcb069ee66812
RedLineStealer
4b9802e46fc0efd83d5e603b47743543987c12d543b4a75b67d6b873e889eb34
RedLineStealer
6337db7b2c4d040e1b802625a820769ad9f110f3356e7fdf1425ad283e0d960f
RedLineStealer
9e1c41de9e6909e96332fa6af01a17721cd82616aaa27a78338d0e305d58b81a
RedLineStealer
b74d77c359b3eea168c342dda78f18f8afaf6379763ca8221e91ebdf1673d4f0
RedLineStealer
bed7bde808f7f069703d1655dd9762ec3744f7d991218654f2f6f41fc6383e6d
RedLineStealer
c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e
RedLineStealer
cdb260bc1d56435c3bd52fe7d5f5f153d8cec4d52450bb53d7db1c669e309095
RedLineStealer
+ 82 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210615-s3891959v2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
6d5c3e8ff6dc04b97bd386ba8a9e9b0c2833c2ff346eafcf9e8dfe92134f21ad
MD5 hash:
896aa82d647bdbd14bfbde14b09dbb44
SHA1 hash:
c9077fe51c5009a9f91baacff9b736a2a7599a94
Link:
https://www.unpac.me/results/56af019f-acce-426a-808c-b9d3e523693d/
SH256 hash:
aac17946ab9a3eb7ed89b3b534f46c80d99f93e281f88c7e2f95c22a435b87e6
MD5 hash:
2b22315c90f8237e91afae36bd55388e
SHA1 hash:
6e5b4e8b3e6ea20d8f6bd7b4b669d2bc8b432895
Link:
https://www.unpac.me/results/56af019f-acce-426a-808c-b9d3e523693d/
SH256 hash:
280626c6a1b49b72197144e8b287544f316ffb82fbc6133c1cc51d4f77437660
MD5 hash:
6790916fad4f73875682a0609b1e2f05
SHA1 hash:
476a107fda4f09e656b602012639ff99672af1f1
Link:
https://www.unpac.me/results/56af019f-acce-426a-808c-b9d3e523693d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/280626c6a1b49b72197144e8b287544f316ffb82fbc6133c1cc51d4f77437660

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 280626c6a1b49b72197144e8b287544f316ffb82fbc6133c1cc51d4f77437660

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1367035/

Comments