MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48e2a161b0fdf3dccf717a245fb44d119801714b4b23cc179753547a3277c02e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	48e2a161b0fdf3dccf717a245fb44d119801714b4b23cc179753547a3277c02e
SHA3-384 hash:	b49b6e7354190135758bdf4f23d96b4bbf53be8f7b13dd0d56b11fcbc808735ad1ab9c55d38b393ee6f4184d3ee72025
SHA1 hash:	b61152012210b0499d47abfc54aa7fe12ba6382e
MD5 hash:	e59eb7dccfd1619672051ebeb74a3a64
humanhash:	arizona-grey-bacon-failed
File name:	extract.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	167'936 bytes
First seen:	2022-10-09 06:24:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 61 x Rhadamanthys)
ssdeep	3072:cahKyd2n31d5GWp1icKAArDZz4N9GhbkrNEkO4CO:cahOpp0yN90QEe
Threatray	2'820 similar samples on MalwareBazaar
TLSH	T13CF36B0663F41166F4B6677499F202935A32BCA29B75C2EF1284D57E1E33AC0E931F27
TrID	83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 4.4% (.EXE) Win64 Executable (generic) (10523/12/4) 2.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JAMESWT_WT
Tags:	afterburner-msi exe RedLineStealer

Intelligence

File Origin

# of uploads :

1

# of downloads :

311

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

https://fermia.online/MSIAfterburner.msi

Verdict:

Malicious activity

Analysis date:

2022-10-09 06:23:14 UTC

Tags:

loader trojan stealer

Link:

https://app.any.run/tasks/c3e5fbc5-80ea-4494-aab1-6e8e84e4ec65

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317989/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop14.3005.6497.22882.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file

Launching cmd.exe command interpreter

Setting a single autorun event

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42075/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack.dll rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/63426940491b0c7e71c7de6e/reports/bc4cfc82-e4e1-4228-a522-e1479447d2c3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/64b43baa-a72e-482b-900f-d015e8652609

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1086433

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48e2a161b0fdf3dccf717a245fb44d119801714b4b23cc179753547a3277c02e/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jdrkcynq7xz5zt3rpisf7ncncgmac4kljmr4yf4xknkhumtxyaxa._file

Verdict:

unknown

Similar samples:

257b99a8149825c3714e40ef1f4e0d1ccb35e0cc692deeb4e9fab1f38d9dddc9

436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497

5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841

7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476

8d28f3c7f370b5d1bf1868e5de0e16d380ca93d583ca74c45fae83ba24f9c8aa

9ceef6a61f77d5e5c9d65e5eff7c2ede91cd236839c09830322faf841167a5e3

a1a3d07b7d2a764011affbede324e5f01590697e110a1c934d21c3627d3d1484

c7a5001c2ba52418531e60d06072f4130bb9eabbba600f39a90521479ed3f1f8

+ 2'810 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/221009-g6lrhsgdg4/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Adds Run key to start application

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8b2f0a78-6a56-42bb-8bc4-a0f059788acb

Unpacked files

SH256 hash:

48e2a161b0fdf3dccf717a245fb44d119801714b4b23cc179753547a3277c02e

MD5 hash:

e59eb7dccfd1619672051ebeb74a3a64

SHA1 hash:

b61152012210b0499d47abfc54aa7fe12ba6382e

Link:

https://www.unpac.me/results/bb8187d0-451f-457c-a752-0361026bc847/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48e2a161b0fdf3dccf717a245fb44d119801714b4b23cc179753547a3277c02e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/317989/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample