MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 394a86f45a0061e79dd2923a7db4256082edd7d6a278edd4ef7ed88c9b39acc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 394a86f45a0061e79dd2923a7db4256082edd7d6a278edd4ef7ed88c9b39acc8
SHA3-384 hash: 8ec8fe6cc197c24989de5898bbacd2102e938c5733278c71d69996b4dc29b94694e41e7571237093ac1525664c6b5dff
SHA1 hash: 8fa4d78ed28682bd5c8ea75d71ba67086b6994cb
MD5 hash: 5266623674cbd03f32f88643b0b605ae
humanhash: texas-johnny-mississippi-alaska
File name:5266623674cbd03f32f88643b0b605ae.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'145'728 bytes
First seen:2023-04-25 06:26:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:BL7qG6VsgK+hhy/bb1paDKVmjI+Q6rOwzfF6:s5+gKMs/bb1paDKVmjI+Q6Swz9
Threatray 1'886 similar samples on MalwareBazaar
TLSH T19BE57F3D36F4E101CDEB55B8DE4292F15BA3AE16C50A865329BA3F7D3C797840A0B847
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2f2b33492b331616 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dhl Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-04-25 06:25:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c18799fa-ca18-4223-b0ad-5920d5ae2bd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384722/
Detection(s):
SecuriteInfo.com.Gen.Variant.MSILHeracles.78711.18930.10827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Running batch commands
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Creating a window
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/644772c6809528e43aab49da/reports/6dcc9f09-e6d1-4b94-b981-7625dea41281/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/394a86f45a0061e79dd2923a7db4256082edd7d6a278edd4ef7ed88c9b39acc8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c2524462-a154-48ad-9d85-19781429de9f
Result
Threat name:
Redline Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220488
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Redline Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 853432 Sample: kYv4OhOEXQ.exe Startdate: 25/04/2023 Architecture: WINDOWS Score: 100 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected Redline Clipper 2->57 59 3 other signatures 2->59 7 kYv4OhOEXQ.exe 2 2->7         started        11 svchost.exe 1 2->11         started        process3 file4 51 C:\Users\user\AppData\...\kYv4OhOEXQ.exe.log, ASCII 7->51 dropped 61 Injects a PE file into a foreign processes 7->61 13 cmd.exe 2 7->13         started        16 cmd.exe 3 7->16         started        19 cmd.exe 1 7->19         started        29 2 other processes 7->29 63 Antivirus detection for dropped file 11->63 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 cmd.exe 11->21         started        23 cmd.exe 1 11->23         started        25 cmd.exe 11->25         started        27 svchost.exe 2 11->27         started        signatures5 process6 file7 69 Uses schtasks.exe or at.exe to add and modify task schedules 13->69 71 Drops PE files with benign system names 13->71 31 conhost.exe 13->31         started        47 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 16->47 dropped 49 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 16->49 dropped 33 conhost.exe 16->33         started        35 conhost.exe 19->35         started        37 schtasks.exe 1 19->37         started        39 conhost.exe 21->39         started        41 schtasks.exe 1 21->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/394a86f45a0061e79dd2923a7db4256082edd7d6a278edd4ef7ed88c9b39acc8/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-04-25 01:57:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 22 (86.36%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hffin5c2abq6phossi5h3nbfmcbo3v6wuj4o3vhpp3mizgzzvtea._file
Verdict:
malicious
Similar samples:
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
RedLineStealer
1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4
RedLineStealer
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
RedLineStealer
7e397f197a4122d8a085b7a5c9d080aa9f103b87e40cc4166cd283b8ad679faf
RedLineStealer
7e8d18b9cb6c22b74f8d426e6b40e1a2ed7c1cb0526517b72e08a0bf7657e6ff
RedLineStealer
80201715ba93ce5c35c6fd6ac3c11bda569f5f7e473f8ae2f67f4405e4faa790
RedLineStealer
8acc5e78093d75cd1679b3314f7e79d8a3135a51a65d92d6fe36ed263e6a5860
RedLineStealer
a21042691ca3daa975ce1a24fba6115f2d762eef39cbaffd4245d582d286ea84
RedLineStealer
+ 1'876 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230425-g7sapagh46/
Behaviour
Creates scheduled task(s)
Suspicious behavior: SetClipboardViewer
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/73f5ad61-4dd8-4394-b620-13425b387d83/
SH256 hash:
ed9a0d33fa91b072fff556b85dd6c429b82b9c3ca4a2a72ef0cb99d2e304e256
MD5 hash:
dd36a53d692ea769e550f4205bc5c45f
SHA1 hash:
101053921115f7b1b809170dd6709e1e2ae3b315
Link:
https://www.unpac.me/results/73f5ad61-4dd8-4394-b620-13425b387d83/
SH256 hash:
394a86f45a0061e79dd2923a7db4256082edd7d6a278edd4ef7ed88c9b39acc8
MD5 hash:
5266623674cbd03f32f88643b0b605ae
SHA1 hash:
8fa4d78ed28682bd5c8ea75d71ba67086b6994cb
Link:
https://www.unpac.me/results/73f5ad61-4dd8-4394-b620-13425b387d83/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/394a86f45a0061e79dd2923a7db4256082edd7d6a278edd4ef7ed88c9b39acc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 394a86f45a0061e79dd2923a7db4256082edd7d6a278edd4ef7ed88c9b39acc8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2615741/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/384722/

Comments