MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27
SHA3-384 hash: 561ae1ce8f616aac97361986e3d7d68f66543872a041db5b8f2da831fbeb5aba311c9a6b86c0e6965cdbd7e2724a1a0c
SHA1 hash: 43f3a5e2d8def7698d368153ab7cc009370a78c7
MD5 hash: 8ad11384fc61815a3779fb6ef0fbdc11
humanhash: florida-king-oscar-fifteen
File name:8ad11384fc61815a3779fb6ef0fbdc11.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'007'616 bytes
First seen:2021-07-19 15:30:12 UTC
Last seen:2021-07-19 16:46:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:MvDBlBPIOBPACxrOh8bNwMutCBBAxA5lTIUq9:0pPDPLRU8BOjW5lcX
Threatray 4'702 similar samples on MalwareBazaar
TLSH T10325F1262227A104DC3883F91C65C1B12BFE6C29666DC6782DC8FD7F7EB267C5AD4580
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8ad11384fc61815a3779fb6ef0fbdc11.exe
Verdict:
Malicious activity
Analysis date:
2021-07-19 16:02:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ec043fc-5dca-4a1e-a893-ad3cb12cff1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172575/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935.23626.3384.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7334f60b-6e60-4492-849a-2b27b1588380
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818353
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450774 Sample: CzjipW8igf.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 .NET source code references suspicious native API functions 2->47 8 CzjipW8igf.exe 3 2->8         started        process3 file4 31 C:\Users\user\AppData\...\CzjipW8igf.exe.log, ASCII 8->31 dropped 55 Detected unpacking (creates a PE file in dynamic memory) 8->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->57 59 Injects a PE file into a foreign processes 8->59 12 CzjipW8igf.exe 1 3 8->12         started        signatures5 process6 dnsIp7 33 mail.dm-teh.com 104.248.254.21, 49723, 587 DIGITALOCEAN-ASNUS United States 12->33 61 Tries to steal Crypto Currency Wallets 12->61 16 InstallUtil.exe 7 12->16         started        20 InstallUtil.exe 7 12->20         started        signatures8 process9 file10 27 C:\Users\user\AppData\...\eacxFGbR.exe, PE32 16->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->35 37 Tries to steal Mail credentials (via file access) 16->37 39 Tries to harvest and steal browser information (history, passwords, etc) 16->39 22 eacxFGbR.exe 3 16->22         started        29 C:\Users\user\AppData\...\RryzYgjx.exe, PE32 20->29 dropped 41 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->41 25 RryzYgjx.exe 3 20->25         started        signatures11 process12 signatures13 49 Antivirus detection for dropped file 25->49 51 Multi AV Scanner detection for dropped file 25->51 53 Machine Learning detection for dropped file 25->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 15:31:05 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366
RedLineStealer
29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02
RedLineStealer
2c47eb23ba1ee0ac5e7d880c3c57f4325c97593b492e801c0d5a99adc4318648
RedLineStealer
49b1f7e34f74b3ea4b97852292dfd6e856a58f74a181f5a3aadd6356503ae617
RedLineStealer
53174a644680154786d09b66cc8c4a1aa83c625bd10137600bf191573fa5c602
RedLineStealer
5c32fd3de4bce60a2529cebc5f47b8a1562ea9bd22549f829b22b0533b32f79b
RedLineStealer
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
RedLineStealer
6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd
RedLineStealer
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
RedLineStealer
+ 4'692 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210719-pxjkndkmbn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e2b0cfd36beb2a685664c8652448ee12f737d8285af9d524c4349940029621b5
MD5 hash:
b5778bbc039716b56c12afe5a892a139
SHA1 hash:
f576ca1a4c6b06eb1a735416bd7076b36d85f489
Link:
https://www.unpac.me/results/8bdab7f9-27ff-4323-8cee-b9a7e112d0ea/
SH256 hash:
11a338d86a42732ee36403a2d0613d14313f7cbc430e054bfdc28a7a1b4364ba
MD5 hash:
80e84b9eab88f2d6f6f411256ecefee7
SHA1 hash:
8ff1a2061e5b5168c4ca83b1029b90e66460d00b
Link:
https://www.unpac.me/results/8bdab7f9-27ff-4323-8cee-b9a7e112d0ea/
SH256 hash:
45e01fe5097c4dc19b7bb1dfb963d05ffb03cce330bbc67d3a0e5a017de5c887
MD5 hash:
75fc90536d2d440c5efdfe5b7eae6f10
SHA1 hash:
8a676cf07b755481a98411f328599420849036c5
Link:
https://www.unpac.me/results/8bdab7f9-27ff-4323-8cee-b9a7e112d0ea/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/8bdab7f9-27ff-4323-8cee-b9a7e112d0ea/
SH256 hash:
413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27
MD5 hash:
8ad11384fc61815a3779fb6ef0fbdc11
SHA1 hash:
43f3a5e2d8def7698d368153ab7cc009370a78c7
Link:
https://www.unpac.me/results/8bdab7f9-27ff-4323-8cee-b9a7e112d0ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1447745/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172575/

Comments