MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36bd5c9ee48bc187184cf4cc9958a54ed65d04bc4a3cab022de3ede4277c97af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36bd5c9ee48bc187184cf4cc9958a54ed65d04bc4a3cab022de3ede4277c97af
SHA3-384 hash: 2e0e0ce0ea04e31ada7a8e2af44bb06c55a4993ba38f6529f78c6ab90c540b08d7d87c4273f61c8e5ead641f1162064e
SHA1 hash: 2d2dc484c488158b94f7caf13955557321f68b2d
MD5 hash: 5a68da6b106ec8490e7b7071480fdf8d
humanhash: hydrogen-fish-vermont-one
File name:5a68da6b106ec8490e7b7071480fdf8d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:373'760 bytes
First seen:2021-11-18 19:56:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:sbBj18jeeeeVeeeeeegeeKV8j3zJIahUsWoq0s1QEk3FNPzk+:NeeeeVeeeeeegeeKVe3zJ5hUhMbPzL
Threatray 20 similar samples on MalwareBazaar
TLSH T10E84E6553C1A9254DC6E73F5C42FE0FF53CB2E339462B81CA2E03A554B31A10EA5E79A
File icon (PE):PE icon
dhash icon 38fce8bae4a2ecf0 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5a68da6b106ec8490e7b7071480fdf8d.exe
Verdict:
No threats detected
Analysis date:
2021-11-18 20:03:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/26da1a5d-3896-41c0-9dd9-c14554f5bbb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/6196b01243e8f62b669937a8/reports/0cd410ef-4a80-4d34-9560-4f135e6e7327/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3e9a33c2-1b1e-4d1b-95d1-c4ea16bd4dc5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/892266
Signature
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524742 Sample: 7AjGOfKV4R.exe Startdate: 18/11/2021 Architecture: WINDOWS Score: 64 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected RedLine Stealer 2->45 7 7AjGOfKV4R.exe 15 7 2->7         started        12 tmp75D5.tmp.exe 2->12         started        14 tmp75D5.tmp.exe 2->14         started        process3 dnsIp4 39 cdn.discordapp.com 162.159.130.233, 443, 49758, 49767 CLOUDFLARENETUS United States 7->39 35 C:\Users\user\AppData\...\tmp75D5.tmp.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\...\7AjGOfKV4R.exe.log, ASCII 7->37 dropped 47 Encrypted powershell cmdline option found 7->47 16 tmp75D5.tmp.exe 1 7->16         started        19 tmp75D5.tmp.exe 7->19         started        21 powershell.exe 25 7->21         started        23 WerFault.exe 12->23         started        25 WerFault.exe 12->25         started        file5 signatures6 process7 signatures8 41 Machine Learning detection for dropped file 16->41 27 WerFault.exe 20 9 16->27         started        29 WerFault.exe 19->29         started        31 WerFault.exe 19->31         started        33 conhost.exe 21->33         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36bd5c9ee48bc187184cf4cc9958a54ed65d04bc4a3cab022de3ede4277c97af/
Threat name:
ByteCode-MSIL.Downloader.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 19:57:06 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
0e92489b73bb3fbd644629abee74d571b62201f4faf50a15a23875cb9c3bb88c
RedLineStealer
181c80a7ad3a6a0e4c3cba6a4427a06b59c8f363c86cb8b35c7bb89e81b0a49c
RedLineStealer
1d1ad9014ce8356b997ff90266f50fb3314d7135e4cc9832128ebfa49f5b8aec
RedLineStealer
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
RedLineStealer
76b7e0265f5fd3d3fead08df85a41d4fac0ab5bd881f9c44dca6987e69c9b63c
RedLineStealer
9916784f8c95f2a5120a4aecf19540983b705bc4257c1c1acd4c3cec42d20bf4
RedLineStealer
bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37
RedLineStealer
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
RedLineStealer
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/211118-yn8xrsadf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
36bd5c9ee48bc187184cf4cc9958a54ed65d04bc4a3cab022de3ede4277c97af
MD5 hash:
5a68da6b106ec8490e7b7071480fdf8d
SHA1 hash:
2d2dc484c488158b94f7caf13955557321f68b2d
Link:
https://www.unpac.me/results/9aba4bf8-4d3b-4740-b804-238baf5a43e0/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/36bd5c9ee48b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/36bd5c9ee48bc187184cf4cc9958a54ed65d04bc4a3cab022de3ede4277c97af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 36bd5c9ee48bc187184cf4cc9958a54ed65d04bc4a3cab022de3ede4277c97af

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642879/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207382/

Comments