MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 475f82ff7689408b2a97a3daaa75585a3b783d4e64aec531060cd604f91385d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 475f82ff7689408b2a97a3daaa75585a3b783d4e64aec531060cd604f91385d4
SHA3-384 hash: df8a3818e0a3f30e11195f232a3e9b0df0c98544d0a037c5f57d9fb1fa50052eab954d94b715adc282b120863b85db58
SHA1 hash: 4e0e7a6a6b4251bcc25d1f99cfd9967e6056d3f1
MD5 hash: 3be95a8935184b54bed0b7e82c3abdc8
humanhash: fruit-bluebird-autumn-india
File name:3be95a8935184b54bed0b7e82c3abdc8
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:132'096 bytes
First seen:2021-09-20 11:37:43 UTC
Last seen:2021-09-20 14:25:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'655 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 1536:5Ba2Ov4RBFpUaaaXIpG8lZps4h9VbMJFtNEXN0zv0wRoEA2TmQRDSTlM9wM:5BBOqU7SwG8BMskSlg
TLSH T1F2D3C7337214A379E3D96F30F4603ECB36699638195C7748B059B2DEBE2978C59F02A4
File icon (PE):PE icon
dhash icon 32e0c0e8d0d0f0f8 (2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3be95a8935184b54bed0b7e82c3abdc8
Verdict:
Malicious activity
Analysis date:
2021-09-20 11:40:19 UTC
Tags:
stealer evasion
Link:
https://app.any.run/tasks/efd02b3c-8653-48e8-8b4c-f91278779741

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189416/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.18646.24489.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Creating a window
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5cc1243-ed94-4398-a4c9-64b70a96c0a7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/853987
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486422 Sample: mzHvAahOeJ Startdate: 20/09/2021 Architecture: WINDOWS Score: 88 30 Machine Learning detection for sample 2->30 32 Found many strings related to Crypto-Wallets (likely being stolen) 2->32 34 PE file contains section with special chars 2->34 36 PE file has nameless sections 2->36 7 mzHvAahOeJ.exe 15 5 2->7         started        process3 dnsIp4 22 best-supply-link.xyz 172.67.221.49, 443, 49741, 49742 CLOUDFLARENETUS United States 7->22 24 iplogger.com 88.99.66.31, 443, 49748, 49749 HETZNER-ASDE Germany 7->24 26 startupmart.bar 7->26 18 C:\ProgramData\8235710.exe, PE32 7->18 dropped 20 C:\Users\user\AppData\...\mzHvAahOeJ.exe.log, ASCII 7->20 dropped 38 Detected unpacking (changes PE section rights) 7->38 40 May check the online IP address of the machine 7->40 42 Performs DNS queries to domains with low reputation 7->42 44 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->44 12 8235710.exe 15 24 7->12         started        file5 signatures6 process7 dnsIp8 28 electronspectroscopy.bar 172.67.133.24, 443, 49750 CLOUDFLARENETUS United States 12->28 46 Detected unpacking (changes PE section rights) 12->46 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->48 50 Machine Learning detection for dropped file 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 16 conhost.exe 12->16         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/475f82ff7689408b2a97a3daaa75585a3b783d4e64aec531060cd604f91385d4/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 11:38:08 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210920-nrqkgsgefm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
a154719dfe98312b06cdff768b55a731068f2f26961b8a506073632a15000712
MD5 hash:
3e4088f1914032b3aad25567a9202669
SHA1 hash:
aa102c915a3e0a8f9b7415af9942bbff5d291dff
Link:
https://www.unpac.me/results/8ebcbf22-a92d-4127-8798-77fdfea0f08e/
SH256 hash:
475f82ff7689408b2a97a3daaa75585a3b783d4e64aec531060cd604f91385d4
MD5 hash:
3be95a8935184b54bed0b7e82c3abdc8
SHA1 hash:
4e0e7a6a6b4251bcc25d1f99cfd9967e6056d3f1
Link:
https://www.unpac.me/results/8ebcbf22-a92d-4127-8798-77fdfea0f08e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/475f82ff7689408b2a97a3daaa75585a3b783d4e64aec531060cd604f91385d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 475f82ff7689408b2a97a3daaa75585a3b783d4e64aec531060cd604f91385d4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1635372/
Cape
Cape
https://www.capesandbox.com/analysis/189416/

Comments


Avatar
zbet commented on 2021-09-20 11:37:44 UTC

url : hxxps://eurekabike.com/pmzero/design/html/PBrowFile11.exe