MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e
SHA3-384 hash: eead063b0179f253cd7a235750cebd610f2656f54717e5919e33800ab22a8d48cbbf52426c242fa27339229628d7bf03
SHA1 hash: 4689e1ce8b0377527b174c9b0e6f6b2d3f3771ab
MD5 hash: e38762223f23dd3373ba4bff00f94c7a
humanhash: blossom-sixteen-friend-five
File name:e38762223f23dd3373ba4bff00f94c7a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:527'872 bytes
First seen:2021-08-22 12:25:49 UTC
Last seen:2021-08-22 12:48:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:YBIL6hD2x/HAWbR2zS4si0O1A83u2BSDoCqKcty:Yw6uHAW92zt/0Wu2BSMCqD
Threatray 22 similar samples on MalwareBazaar
TLSH T1A7B412B562EC1D3EC6AE4635C0E2F7877731A0D38253D74A5E8C6A086A823FE34547D6
dhash icon 587860e5d26c3810 (2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e38762223f23dd3373ba4bff00f94c7a
Verdict:
Malicious activity
Analysis date:
2021-08-22 12:29:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa6eaa29-fafc-4053-a7ba-fc067d8d8ef6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181233/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.35062.2914.27219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Running batch commands
Creating a file
Launching a process
Sending a UDP request
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Avalon
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/588e9316-4546-4637-8339-f663534c333f
Result
Threat name:
Phoenix Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837039
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Phoenix Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469470 Sample: nQA1zSaFFV Startdate: 22/08/2021 Architecture: WINDOWS Score: 100 58 clientconfig.passport.net 2->58 66 Sigma detected: Xmrig 2->66 68 Antivirus detection for dropped file 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 6 other signatures 2->72 8 Microsoft Edge.exe 14 6 2->8         started        12 nQA1zSaFFV.exe 6 2->12         started        signatures3 process4 dnsIp5 60 github.com 140.82.121.3, 443, 49734 GITHUBUS United States 8->60 62 raw.githubusercontent.com 185.199.110.133, 443, 49735 FASTLYUS Netherlands 8->62 64 2 other IPs or domains 8->64 42 C:\Users\user\...\xservicegpu.exe` (copy), PE32+ 8->42 dropped 44 C:\Users\user\...\DotNetZip-wyomqitg.tmp, PE32+ 8->44 dropped 46 C:\Users\user\...\DotNetZip-t3qvbn3a.tmp, PE32+ 8->46 dropped 48 C:\Users\user\...\mservicecpu.exe.. (copy), PE32+ 8->48 dropped 14 xservicegpu.exe 1 8->14         started        18 xservicegpu.exe 1 8->18         started        20 xservicegpu.exe 1 8->20         started        24 2 other processes 8->24 50 C:\Users\user\AppData\...\Microsoft Edge.exe, PE32 12->50 dropped 52 C:\...\Microsoft Edge.exe:Zone.Identifier, ASCII 12->52 dropped 54 C:\Users\user\AppData\...\nQA1zSaFFV.exe.log, ASCII 12->54 dropped 22 cmd.exe 1 12->22         started        file6 process7 file8 56 \Device\ConDrv, ASCII 14->56 dropped 74 Hides threads from debuggers 14->74 26 conhost.exe 14->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        76 Uses schtasks.exe or at.exe to add and modify task schedules 22->76 32 conhost.exe 22->32         started        34 timeout.exe 1 22->34         started        36 schtasks.exe 1 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 24->40         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e/
Threat name:
ByteCode-MSIL.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2021-08-21 17:22:48 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0b6311976a5d7d94c5bf373e982e9e03ea64cb4869b9399fb1f90c122cb2ced2
RedLineStealer
2aab7a13f9d2f77601b7a8228b976e02fe1960b1eaf6669f12e646e10ced6ca3
RedLineStealer
328c5eb8908b83c474ab4ab892ac1c2cae066f1f55dbcd15d850b54cc0f4c3cc
RedLineStealer
5073e1fa4493b7eda098621c9cc31bdcd36420e277aa9cdda5117def65c88ee9
RedLineStealer
599393e258d8ba7b8f8633e20c651868258827d3a43a4d0712125bc487eabf92
RedLineStealer
60ab8f94c2c07255e65790079803f15fa351f94363102883a14bae63d696c2ff
RedLineStealer
630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf
RedLineStealer
8eb247b1a7002346303316364559cc13f901212a79a42d76138cafa79719a132
RedLineStealer
9a048c8436c448e99a3a7047781ddc5d14a323660bd69f9fd7432c316083e3b6
RedLineStealer
b0fbbee768b77e2fe719f38622b54a01efd763255048374ab0340d56a430325f
RedLineStealer
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
agilenet
Link:
https://tria.ge/reports/210822-ytkme8251n/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Unpacked files
SH256 hash:
4a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e
MD5 hash:
e38762223f23dd3373ba4bff00f94c7a
SHA1 hash:
4689e1ce8b0377527b174c9b0e6f6b2d3f3771ab
Link:
https://www.unpac.me/results/f8921aa6-c573-4d45-b183-077f2d064d40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1554462/
Cape
Cape
https://www.capesandbox.com/analysis/181233/

Comments


Avatar
zbet commented on 2021-08-22 12:25:50 UTC

url : hxxp://81.16.141.193/12345_protected.exe