MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919
SHA3-384 hash: e94bc2804aeee28b75d65338d781bf7f08d45e0d8e2643b849e806283adb8fa32754ff1a68f09377dede0974263fafb2
SHA1 hash: fc32670a240a9e42ba6c453a68dec0933a85355f
MD5 hash: a7eeab7e2e90d0373ebfb15243bff81a
humanhash: autumn-enemy-carpet-august
File name:178.jar
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:14'612'480 bytes
First seen:2023-06-07 12:04:31 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 196608:pYBQXEPt5WaR6SynIRkIqZ81rI61CYYY+YA+X3vMMIYlRCu+EGlYxMrdhMTbnb:8rt5WaRRkZ81rtTidk/MMUlwmhMTLb
TLSH T1D7E6F032FE96D02ED783D13608D2C997F838459CE24AE56B17E0069AC9B4D8D4B53BCD
TrID 52.9% (.JAR) Java Archive (13500/1/2)
27.4% (.MAFF) Mozilla Archive Format (gen) (7000/1/1)
15.6% (.ZIP) ZIP compressed archive (4000/1)
3.9% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter Gi7w0rm
Tags:DynamicRAT jar java RAT RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
178.jar
Verdict:
Malicious activity
Analysis date:
2023-06-07 12:07:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c19d5fc9-81df-43d5-baca-6ea314142380

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug lolbin obfuscated stealer
Link:
https://www.filescan.io/uploads/6480727082df37afde48fbe6/reports/03325ec8-6648-4b50-85ea-f23295a7a7d5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
spyw.expl.evad.troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1250258
Signature
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 883324 Sample: 178.jar Startdate: 07/06/2023 Architecture: WINDOWS Score: 88 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected RedLine Stealer 2->56 58 Exploit detected, runtime environment starts unknown processes 2->58 60 2 other signatures 2->60 7 java.exe 32 2->7         started        12 javaw.exe 13 2->12         started        14 7za.exe 502 2->14         started        process3 dnsIp4 48 178.18.255.246, 24464, 49699 INLINE-ASDE Germany 7->48 50 127.0.0.1 unknown unknown 7->50 52 192.168.2.1 unknown unknown 7->52 32 C:\Users\user\...\jna6028587228804687699.dll, PE32 7->32 dropped 34 JNativeHook-7DC8E1...BDD5.x86.dll (copy), PE32 7->34 dropped 36 JNativeHook-6362618513106663440.x86.dll, PE32 7->36 dropped 62 Tries to harvest and steal browser information (history, passwords, etc) 7->62 64 Installs a global keyboard hook 7->64 16 netsh.exe 3 7->16         started        18 netsh.exe 3 7->18         started        20 icacls.exe 1 7->20         started        22 conhost.exe 7->22         started        38 C:\...\JNativeHook-977222040606187733.x86.dll, PE32 12->38 dropped 40 C:\Users\user\...\jna344404488877759929.dll, PE32 12->40 dropped 42 C:\jar\com\github\kwhat\...\JNativeHook.dll, PE32+ 14->42 dropped 44 C:\jar\com\github\kwhat\...\JNativeHook.dll, PE32 14->44 dropped 46 C:\jar\com\github\kwhat\...\JNativeHook.dll, PE32 14->46 dropped 66 Sample is not signed and drops a device driver 14->66 24 conhost.exe 14->24         started        file5 signatures6 process7 process8 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919/
Threat name:
ByteCode-JAVA.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-02 10:49:23 UTC
File Type:
Binary (Archive)
Extracted files:
9042
AV detection:
6 of 37 (16.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igqdp4e36qnvzmokiuzitzwksyowdtmw53x3dnn36fjwci4w3emq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230607-n86m2aae71/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops startup file
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/41a037f09bf4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Java file jar 41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments