MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44a14aed4c8b6d771d10522817dbdc97d4dfe1be4f9ae3e45749502c51a73c8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44a14aed4c8b6d771d10522817dbdc97d4dfe1be4f9ae3e45749502c51a73c8c
SHA3-384 hash: 1a97cfc01b931ed6e447b62fcfc0f9838d521cad83c0308fb438a2579ad5a35a472e621cdf4a8593b549fb4203ef26ab
SHA1 hash: 3996e8f4c9a12279658c64786a137ae4ca2fafba
MD5 hash: 00e44cd0dbe91f5bc18935e0f3d32c1a
humanhash: november-virginia-massachusetts-ceiling
File name:00e44cd0dbe91f5bc18935e0f3d32c1a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:158'208 bytes
First seen:2021-07-20 17:17:23 UTC
Last seen:2021-07-20 17:50:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:ioxlczinxpeqIoWKWbTOzsA39tMVOLV0Ixbp8mhL2KILeQVP/K9c4fxEMDKtGts:i8lOinxaobT3LKSbSkL51pfxEd
Threatray 65 similar samples on MalwareBazaar
TLSH T19AF31862A015D01BC65013FFDCB89A1B6C8C5D6637E0FA547D9BB55A8AFEC3C68E0720
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://zina-boutique.com/wp-content/uploads/2020/04/P3GlorySetp.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 15:50:04 UTC
Tags:
trojan loader evasion stealer
Link:
https://app.any.run/tasks/6c52a49e-1d60-4080-9217-b8f8558bb016

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172874/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.23264.11118.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a91c06f2-5e80-410e-9a67-575b2ae36fd1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/819132
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451539 Sample: u2Hp8YozPt Startdate: 20/07/2021 Architecture: WINDOWS Score: 92 47 Multi AV Scanner detection for submitted file 2->47 49 .NET source code contains potential unpacker 2->49 51 Found many strings related to Crypto-Wallets (likely being stolen) 2->51 53 2 other signatures 2->53 7 u2Hp8YozPt.exe 15 6 2->7         started        12 WinHoster.exe 2 2->12         started        14 WinHoster.exe 2 2->14         started        process3 dnsIp4 35 music-s.xyz 7->35 37 music-s.xyz 104.21.7.102, 443, 49691 CLOUDFLARENETUS United States 7->37 39 iplogger.org 88.99.66.31, 443, 49693, 49694 HETZNER-ASDE Germany 7->39 29 C:\Users\user\AppData\Roaming\4908741.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Roaming\3791763.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\...\u2Hp8YozPt.exe.log, ASCII 7->33 dropped 61 May check the online IP address of the machine 7->61 63 Performs DNS queries to domains with low reputation 7->63 16 4908741.exe 1 4 7->16         started        20 3791763.exe 1 7->20         started        file5 signatures6 process7 file8 27 C:\Users\user\AppData\...\WinHoster.exe, PE32 16->27 dropped 41 Antivirus detection for dropped file 16->41 43 Multi AV Scanner detection for dropped file 16->43 45 Machine Learning detection for dropped file 16->45 22 WinHoster.exe 2 16->22         started        25 WerFault.exe 17 9 20->25         started        signatures9 process10 signatures11 55 Antivirus detection for dropped file 22->55 57 Multi AV Scanner detection for dropped file 22->57 59 Machine Learning detection for dropped file 22->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44a14aed4c8b6d771d10522817dbdc97d4dfe1be4f9ae3e45749502c51a73c8c/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 17:18:15 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=isquv3kmrnwxohiqkiubpw64s7kn7yn6j6nohzcxjficyunhhsga._file
Verdict:
unknown
Similar samples:
4b13b5acc2c0566e5ea6bd47824ef00b96ed925a6b3754df5245e10a5205a2f4
RedLineStealer
5b318a71a891d9f64fff9de8dc4868c9d1e563701a8272a6b281f295c7bdd43d
RedLineStealer
649196028a2da14a49c0e7ac613ddb03e5cc6ab289081ee32d08b192d562859a
RedLineStealer
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
RedLineStealer
9706247fdb847874ca3fad6229787e37299be25d938af865a8e5b132bf313b89
RedLineStealer
ba1cd3d4f48da85e9f89e0123008b4c26b9e2fec176f7e973827f0a87c74e337
RedLineStealer
ccfd6e626a5381e700e06cec9abf41543d924a7f04d9f78ef3a04a847577d31e
RedLineStealer
cd84c2fe9c5f3783d3a6ebdea43e14774975f092ef5242a857b9a4a28e14878a
RedLineStealer
f6aa394f7b0a0f629da6831a1134e4a6cbf21c70dce7f4133319d638d4b58023
RedLineStealer
+ 55 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/210720-2dhfvw2hvj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
d2198495a6c4606d73958cd24acc1ad753a7daae4be1f78a33b61c4e2b3b4fc3
MD5 hash:
c4bd9c5ba97c74330f567b0a9d32699d
SHA1 hash:
77df1a87f35f74eb624ee07b758d12fd85a22147
Link:
https://www.unpac.me/results/cd02e1c4-018d-4728-b643-a120be977814/
SH256 hash:
44a14aed4c8b6d771d10522817dbdc97d4dfe1be4f9ae3e45749502c51a73c8c
MD5 hash:
00e44cd0dbe91f5bc18935e0f3d32c1a
SHA1 hash:
3996e8f4c9a12279658c64786a137ae4ca2fafba
Link:
https://www.unpac.me/results/cd02e1c4-018d-4728-b643-a120be977814/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44a14aed4c8b6d771d10522817dbdc97d4dfe1be4f9ae3e45749502c51a73c8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 44a14aed4c8b6d771d10522817dbdc97d4dfe1be4f9ae3e45749502c51a73c8c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1440660/
Cape
Cape
https://www.capesandbox.com/analysis/172874/

Comments


Avatar
zbet commented on 2021-07-20 17:17:23 UTC

url : hxxp://zina-boutique.com/wp-content/uploads/2020/04/P3GlorySetp.exe