MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857
SHA3-384 hash: 1fa0e0f74fb96a32ed7dbd92b43ce01c875b79c2b3844783843820b63ec734729a336f4a10d15c49615da08514a92fed
SHA1 hash: 5bd7dd27b5fb21edb4372cec11f6b2e58ecdb0c4
MD5 hash: a111bce8127628ad5dc14a50ca90f24c
humanhash: salami-lamp-fish-early
File name:a111bce8127628ad5dc14a50ca90f24c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'237'952 bytes
First seen:2023-03-18 06:18:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:oHp/0DY1WoZ9EqGG64h7VzKT05rK1Ib1t4ntkNfuV/8w:Odd3LP64Lz3K1IvK6NmV
Threatray 249 similar samples on MalwareBazaar
TLSH T19DA5331299F85431CDFC2FF00CF297D31A357CD18A3453162FA5AE6A8DF2A16626136B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:a111bce8127628ad5dc14a50ca90f24c exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a111bce8127628ad5dc14a50ca90f24c
Verdict:
Malicious activity
Analysis date:
2023-03-18 06:20:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83407826-6d73-40eb-a480-20d155fee6ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375258/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a UDP request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73701/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
advpack.dll CAB cmd.exe installer packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6415579c109d4db51669b9ce/reports/5c0e4211-ca6e-46fe-ada9-edfd438aa330/overview
Verdict:
Malicious
Labled as:
Packed.CAB
Link:
https://www.hybrid-analysis.com/sample/38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/22c927c3-fb47-4bc5-b6d6-db383b78ef67
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1196522
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829423 Sample: FSXsB5vtNc.exe Startdate: 18/03/2023 Architecture: WINDOWS Score: 48 26 Multi AV Scanner detection for submitted file 2->26 7 FSXsB5vtNc.exe 1 8 2->7         started        10 rundll32.exe 2->10         started        process3 file4 20 C:\Users\user\AppData\...\edunudkycqr.dat, PE32+ 7->20 dropped 12 cmd.exe 2 7->12         started        process5 file6 22 C:\Users\user\AppData\Local\...\conhost.exe, PE32 12->22 dropped 15 conhost.exe 1 12->15         started        18 conhost.exe 12->18         started        process7 dnsIp8 24 7863325b35701679149200805.sec.irj55.shop 83.138.53.189, 18223 ATOS-NL-ASEindhovenNL Russian Federation 15->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdvlq6xughf2do7mlsqq7kkqfifrcda3v5rxf5ocofmewaxlfblq._file
Verdict:
suspicious
Similar samples:
155c76210badfc3ef9bfc764a7ab3cb9702f76c9d63351a213f61d44abbf0b4f
RedLineStealer
18055486aef1f706a69134be283fffdad9c49f5ffecda5d869e74c2ae882cd6c
RedLineStealer
5235b4f3619c2a7c56d7ca2a22da5f0f07ce7b022fb8d8ad1b2c0c352d0cc122
RedLineStealer
5920894ae997b61f27b53c9f6e598df5f928acb11a5dc09f4fa0627747f1312d
RedLineStealer
a1a1e3ba5fd634d39e65b483e27accb1280b4716072efc8e91ba5f441e227b9c
RedLineStealer
a40aee29bf2ba1c033f54a839e74d887282fb13a833a4eed3bdbea9e7a0bb1b5
RedLineStealer
b72f222928dada0a651782c863ea29cd26241aa31ceda87bdad68ea7c57d04c5
RedLineStealer
bc18e4cbdd507f6bfabd5b73513ad430951544efe453a7516bebcbdefb6e9eb5
RedLineStealer
d4aa4e2919521f861933491197e59c37a9a574480f8b83f7a1fa82ddae3ca2b7
RedLineStealer
f7ec343d60a5e4cdc27ba8a5e7742752189d205fec9dc918779dc17b6ceeb98c
RedLineStealer
+ 239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230318-g2lwqabe22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
03d67b7951bb1666c589b48a69060c8a21b1a8d05f729fb861a580a7276b7365
MD5 hash:
10549afad10dc1c077cd5a670fbd3127
SHA1 hash:
2dda85224673aa2a7617c64620853628cc7af92d
Link:
https://www.unpac.me/results/1aefd85b-9078-41ac-9a6b-b82613922ae1/
SH256 hash:
38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857
MD5 hash:
a111bce8127628ad5dc14a50ca90f24c
SHA1 hash:
5bd7dd27b5fb21edb4372cec11f6b2e58ecdb0c4
Link:
https://www.unpac.me/results/1aefd85b-9078-41ac-9a6b-b82613922ae1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38eab87af431/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/375258/

Comments