MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 340a20ce082c4ee7ec9f806adacfe43ce789b8eabcf81d7465dcc18419e55d8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 340a20ce082c4ee7ec9f806adacfe43ce789b8eabcf81d7465dcc18419e55d8a
SHA3-384 hash: bddc350bf4a3745832902ab8e1550892b1da86e74d26850b35b3b40a96a370742b6cabb85dee588c2971524be1b5e181
SHA1 hash: 79206d6027b0d57b25ec96b041b68470b50d2e75
MD5 hash: 37e8e14c99b820d0f042cd99d0853208
humanhash: high-glucose-bakerloo-sweet
File name:37e8e14c99b820d0f042cd99d0853208
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:929'280 bytes
First seen:2021-09-20 08:19:21 UTC
Last seen:2021-09-20 09:01:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:7qn4G4XkEFRk8L0jaSoxh8kE3jiqJ8JBjyHZX0MQEXPNE+orut4HlmBpRT6pcbDl:7+4G4Xkcu8Auz8NDZ48L6CFsId
Threatray 48 similar samples on MalwareBazaar
TLSH T159159D8D6ECB1F88EFC4097D6F259B235E30D16071C3A3A766BC23345B9E3A41B85586
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://sherence.ru/QJEteAArirDjfh2.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 07:56:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0558408-feb3-4307-ac64-033f339a017b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189354/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.6.Gen.23990.22515.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a file
Creating a window
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Malware family:
BloodyStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7450047f-9e44-45d0-8531-2209205c53c0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853837
Signature
.NET source code references suspicious native API functions
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486270 Sample: FwOpJZ3Pb7 Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 31 Multi AV Scanner detection for submitted file 2->31 33 .NET source code references suspicious native API functions 2->33 35 Machine Learning detection for sample 2->35 37 Drops executables to the windows directory (C:\Windows) and starts them 2->37 6 FwOpJZ3Pb7.exe 7 27 2->6         started        10 RuntimeBroker.exe 3 2->10         started        12 ShellExperienceHost.exe 3 2->12         started        14 9 other processes 2->14 process3 file4 19 C:\Windows\System32\wbem\...\WmiPrvSE.exe, PE32 6->19 dropped 21 C:\Windows\System32\cmstp\RuntimeBroker.exe, PE32 6->21 dropped 23 C:\Windows\System32\...\dllhost.exe, PE32 6->23 dropped 25 11 other files (10 malicious) 6->25 dropped 39 Detected unpacking (overwrites its own PE header) 6->39 41 Creates multiple autostart registry keys 6->41 43 Drops executables to the windows directory (C:\Windows) and starts them 6->43 55 2 other signatures 6->55 16 RuntimeBroker.exe 1 2 6->16         started        45 Multi AV Scanner detection for dropped file 10->45 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->47 49 Machine Learning detection for dropped file 10->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->51 53 Tries to detect virtualization through RDTSC time measurements 12->53 signatures5 process6 dnsIp7 27 94.250.250.1, 49743, 49744, 49745 THEFIRST-ASRU Russian Federation 16->27 29 192.168.2.1 unknown unknown 16->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/340a20ce082c4ee7ec9f806adacfe43ce789b8eabcf81d7465dcc18419e55d8a/
Threat name:
ByteCode-MSIL.Trojan.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 21:50:11 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
309e1c2273438c39e256372e5fbaec1e790767d7c966fc323fac368d34acf7a8
RedLineStealer
4088596950d2caffe223750d63f9b3ffd83aac1611748e82da11a244e90430d8
RedLineStealer
716b373d586926bb42f955ed155ac900e1d19494150d0539f22225b03d47f424
RedLineStealer
8486a418f9f04f24f3792559221ef2f13b613f9a6fab066a264211e52638fad7
RedLineStealer
8e0fb8a88118787644f807d2c7d746cf2d35888aff6031a28888f024187f6d02
RedLineStealer
db2e0387321f6901c75228564c23c7d55a4d05e5b9bbe54a7f11a85b3d187dab
RedLineStealer
dfa8a5144d89c3e1858c50b566bf1906e15491295cf5115d86b1d7209e15b557
RedLineStealer
e10e6de81f3af56db427e5c916171887171686ec46812dbebecee354f6c2a0cd
RedLineStealer
e2a3d9b8067133ddbcaedfc53e6f730cdb1df00db8d3255e98e63b6d49b67e24
RedLineStealer
f4f845267f7126cfdfc8ca2aa6ebe1dd3833a74e393b1d0acf76cb33acb3e740
RedLineStealer
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
agilenet persistence
Link:
https://tria.ge/reports/210920-j8jq2sddh4/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
MD5 hash:
edd74be9723cdc6a5692954f0e51c9f3
SHA1 hash:
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
Link:
https://www.unpac.me/results/5cedcf29-6fe1-44d5-ab97-8f792acaee63/
SH256 hash:
340a20ce082c4ee7ec9f806adacfe43ce789b8eabcf81d7465dcc18419e55d8a
MD5 hash:
37e8e14c99b820d0f042cd99d0853208
SHA1 hash:
79206d6027b0d57b25ec96b041b68470b50d2e75
Link:
https://www.unpac.me/results/5cedcf29-6fe1-44d5-ab97-8f792acaee63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/340a20ce082c4ee7ec9f806adacfe43ce789b8eabcf81d7465dcc18419e55d8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 340a20ce082c4ee7ec9f806adacfe43ce789b8eabcf81d7465dcc18419e55d8a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189354/
  
URLhaus
https://urlhaus.abuse.ch/url/1634883/

Comments


Avatar
zbet commented on 2021-09-20 08:19:22 UTC

url : hxxp://sherence.ru/QJEteAArirDjfh2.exe