MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 293e9d691076d1b23090f9df8a3605b61448dc83126990cbde71ff97563bbc1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 293e9d691076d1b23090f9df8a3605b61448dc83126990cbde71ff97563bbc1a
SHA3-384 hash: 31c4fabca4ebf3b54223290900aa2734d5aeeadd1c9f08dd840e2208f1189efd414ae4a34b69c31dadd8f42fedaa2de7
SHA1 hash: e61cfc69f91e7b8c5a3589cfd7d236225e54e979
MD5 hash: 08526aeea012d110fa280c27d67c1b6e
humanhash: undress-michigan-cat-aspen
File name:08526aeea012d110fa280c27d67c1b6e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:294'912 bytes
First seen:2021-09-20 07:29:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:7npHy9ncstDPLhhx8m7EN4pbdOe4eUL1KxgoPzygx8Xoa8:zp4D18l4pRO5eCUXrygx8Y
Threatray 391 similar samples on MalwareBazaar
TLSH T10854DFF323448EA0EDBA0B7281A2F6548776EE662C20E137F1C971594B3F7978E83545
File icon (PE):PE icon
dhash icon da3930ac989192d9 (2 x RedLineStealer, 1 x CoinMiner)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08526aeea012d110fa280c27d67c1b6e
Verdict:
Malicious activity
Analysis date:
2021-09-20 07:30:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/992b455a-f1bd-4f48-9949-915f206089c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189245/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bce908e-3db6-4110-826b-5ff0d5263612
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/853799
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Encoded PowerShell Command Line
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486229 Sample: Ta093Uu2Q2 Startdate: 20/09/2021 Architecture: WINDOWS Score: 80 43 Multi AV Scanner detection for submitted file 2->43 45 .NET source code contains potential unpacker 2->45 47 Machine Learning detection for sample 2->47 49 Sigma detected: Suspicious Encoded PowerShell Command Line 2->49 8 Ta093Uu2Q2.exe 6 2->8         started        12 service.exe 3 2->12         started        process3 file4 33 C:\Users\user\AppData\...\Ta093Uu2Q2.exe, PE32 8->33 dropped 35 C:\Users\...\Ta093Uu2Q2.exe:Zone.Identifier, ASCII 8->35 dropped 37 C:\Users\user\AppData\...\Ta093Uu2Q2.exe.log, ASCII 8->37 dropped 53 Encrypted powershell cmdline option found 8->53 14 Ta093Uu2Q2.exe 3 8->14         started        18 powershell.exe 18 8->18         started        55 Multi AV Scanner detection for dropped file 12->55 57 Machine Learning detection for dropped file 12->57 20 powershell.exe 12 12->20         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\service.exe, PE32 14->39 dropped 41 C:\Users\user\...\service.exe:Zone.Identifier, ASCII 14->41 dropped 59 Multi AV Scanner detection for dropped file 14->59 61 Machine Learning detection for dropped file 14->61 22 cmd.exe 1 14->22         started        25 conhost.exe 18->25         started        27 conhost.exe 20->27         started        signatures8 process9 signatures10 51 Uses schtasks.exe or at.exe to add and modify task schedules 22->51 29 conhost.exe 22->29         started        31 schtasks.exe 1 22->31         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/293e9d691076d1b23090f9df8a3605b61448dc83126990cbde71ff97563bbc1a/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 01:13:27 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0da1306ca75347a4387079465ef83befc5027ca4943c08024504175da47301af
RedLineStealer
1e003aa6499e75fcb47a0288d1e43b523b13b394bb8b692eae0b314a124d6f26
RedLineStealer
28184c88216897491c60fc75dbd6bd99a2f436a5cf8c7f4322f10d2245b4dba5
RedLineStealer
4f450fcf02d7006fd4fbea8c2cad999397672d44864f1e8c504633ce53c3d53d
RedLineStealer
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03
RedLineStealer
7bfa1a2593f74120d8f9ad1cdae68a06f22c86fdcc58eb9ecb3471b500330867
RedLineStealer
8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3
RedLineStealer
fecbd8f95e06216e7c1ba26d4f9e9cfa33d717c56667cb2834a6493b9b53b347
RedLineStealer
+ 381 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210920-jbt6hsdce9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
ba0cac3ecf7443d77df968880228936f03cc4acb755448f1075643dd8205136b
MD5 hash:
ce6eb5d6a0c3072a083f869b3bbf92d6
SHA1 hash:
9db685e193b444ed34b139db0914040a51ee89fc
Link:
https://www.unpac.me/results/c1f09adf-f99d-4ae0-9413-a98de4f0e9d6/
SH256 hash:
eae9a03b8f1836fff86f44b59d433c6193657656c77dc49f2c6e0da4cef3c40e
MD5 hash:
09a192f0e69f1f8bce9e282a997e7658
SHA1 hash:
92875a76264c81c5afd9a69abe86a5ae0faf2f6c
Link:
https://www.unpac.me/results/c1f09adf-f99d-4ae0-9413-a98de4f0e9d6/
SH256 hash:
293e9d691076d1b23090f9df8a3605b61448dc83126990cbde71ff97563bbc1a
MD5 hash:
08526aeea012d110fa280c27d67c1b6e
SHA1 hash:
e61cfc69f91e7b8c5a3589cfd7d236225e54e979
Link:
https://www.unpac.me/results/c1f09adf-f99d-4ae0-9413-a98de4f0e9d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/293e9d691076d1b23090f9df8a3605b61448dc83126990cbde71ff97563bbc1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 293e9d691076d1b23090f9df8a3605b61448dc83126990cbde71ff97563bbc1a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189245/
  
URLhaus
https://urlhaus.abuse.ch/url/1634842/

Comments


Avatar
zbet commented on 2021-09-20 07:29:36 UTC

url : hxxp://renewal.fun/install.exe