MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ad3e0fd2eddbbd05a571142f93534256beae7d1d7be2fa43362e4e0b69792f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ad3e0fd2eddbbd05a571142f93534256beae7d1d7be2fa43362e4e0b69792f8
SHA3-384 hash: a4d512f0bb2e960f5b140cb168c8de7d98e2cb728edf45ea03b26e94fedb02f58ae931f534aec8d79ed5ed5087c9add3
SHA1 hash: 27b218ef4c6274866028c9f77034a156ffa09ee1
MD5 hash: 4ab33f6ef49e19bca261ad1adf70aa32
humanhash: burger-march-golf-california
File name:4ab33f6ef49e19bca261ad1adf70aa32
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:521'728 bytes
First seen:2021-07-09 09:35:19 UTC
Last seen:2021-07-09 10:35:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GW8uCJjuCn6iQUB8CHPku8TvKNK6KSKKsrrXf8f3iMHcie9QBA+NyyUoY8SZ5GpX:GW2spxLrrlM5nayUtJ5GJ
Threatray 6 similar samples on MalwareBazaar
TLSH T1ECB40292A6A4E52ECE6F4FF6CD629BA01673B247D8F093C031FD92B44B53E50661319C
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ab33f6ef49e19bca261ad1adf70aa32
Verdict:
Suspicious activity
Analysis date:
2021-07-09 09:39:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/341b1214-7acd-4515-ac55-112a78a9ca4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170641/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.919.7034.2701.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f0cbbff-23b0-45de-8e49-939c1cacfc7d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813924
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446335 Sample: uFF6kh3u42 Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 5 other signatures 2->61 8 uFF6kh3u42.exe 4 11 2->8         started        12 VGA.exe 2->12         started        14 VGA.exe 2->14         started        process3 file4 37 C:\Users\user\AppData\Roaming\...\VGA.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\...\uFF6kh3u42.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->41 dropped 43 4 other malicious files 8->43 dropped 63 Writes to foreign memory regions 8->63 65 Injects a PE file into a foreign processes 8->65 16 uFF6kh3u42.exe 15 2 8->16         started        20 wscript.exe 1 8->20         started        22 AdvancedRun.exe 1 8->22         started        24 AdvancedRun.exe 1 8->24         started        67 Multi AV Scanner detection for dropped file 12->67 69 Machine Learning detection for dropped file 12->69 signatures5 process6 dnsIp7 45 porncamsworld.com 77.247.127.19, 80 CLOUVIDERClouvider-GlobalASNGB United Kingdom 16->45 49 Multi AV Scanner detection for dropped file 16->49 51 Machine Learning detection for dropped file 16->51 26 WerFault.exe 16->26         started        53 Wscript starts Powershell (via cmd or directly) 20->53 28 powershell.exe 20->28         started        30 AdvancedRun.exe 22->30         started        33 AdvancedRun.exe 24->33         started        signatures8 process9 dnsIp10 35 conhost.exe 28->35         started        47 192.168.2.1 unknown unknown 30->47 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ad3e0fd2eddbbd05a571142f93534256beae7d1d7be2fa43362e4e0b69792f8/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 04:31:51 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3dee86eee7f21dd9095470148736ddf9c463b63b747f8df3cf1e4974156f0957
RedLineStealer
43a90fad356464953de14ff41ea31363b371d8612c4b411c397ce1df377fd2b1
RedLineStealer
8efd1270bebdd589a5f264fe90ac2d2b163b245b7009290c4a4b763504269cdb
RedLineStealer
b03842095a0325b7fbed6892815537a01b6f9c57f7d57047124436bd7d058698
RedLineStealer
f33029e24b91f8df78503087ef57d1bedc4609c665119139de5fa908286fd74c
RedLineStealer
ff1e03472ebb3a86fe6a41c3849d799dcfa035e93c43a1380071d67775bc6f83
RedLineStealer
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Link:
https://tria.ge/reports/210709-q68k1vew1a/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Nirsoft
Unpacked files
SH256 hash:
2bd6a86164cc240a4ba9e2826e34fb7c4a2f3a9e0653ccfa87c409c128920647
MD5 hash:
e57f15f753a17bf524ba55af51d73024
SHA1 hash:
c8624b7ccda7f782aeede56b7199c90af3505ea2
Link:
https://www.unpac.me/results/8de2c5b8-dcce-4fdc-a4f9-0f4e5a92b24f/
SH256 hash:
52d9dc1b862841e95fd404f01593c2b7a533145f2eadba3b211128c422cb5baa
MD5 hash:
68ecf0cdf4d827ef3705cca75d29b780
SHA1 hash:
b48e392ad7fcfaf65e2e719232d8e56f96be34df
Link:
https://www.unpac.me/results/8de2c5b8-dcce-4fdc-a4f9-0f4e5a92b24f/
SH256 hash:
80174c55095291e4751b81421179c5a205502946d23c79ade893b4a46e704f7b
MD5 hash:
107ed1c34146b3aa57a0877db69967a4
SHA1 hash:
9e824c99d164ff8c5f4021dc1dac841d28271823
Link:
https://www.unpac.me/results/8de2c5b8-dcce-4fdc-a4f9-0f4e5a92b24f/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/8de2c5b8-dcce-4fdc-a4f9-0f4e5a92b24f/
SH256 hash:
e7e70be114657dfb6b1317ae9bedfcffdb689c427bfa2fc73fc210d062a45600
MD5 hash:
b852b1575ef1d15537809c91d8198cb5
SHA1 hash:
26ddeb527b9485f2ca15ac3dfee5308e3dcf30e8
Link:
https://www.unpac.me/results/8de2c5b8-dcce-4fdc-a4f9-0f4e5a92b24f/
SH256 hash:
4ad3e0fd2eddbbd05a571142f93534256beae7d1d7be2fa43362e4e0b69792f8
MD5 hash:
4ab33f6ef49e19bca261ad1adf70aa32
SHA1 hash:
27b218ef4c6274866028c9f77034a156ffa09ee1
Link:
https://www.unpac.me/results/8de2c5b8-dcce-4fdc-a4f9-0f4e5a92b24f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ad3e0fd2eddbbd05a571142f93534256beae7d1d7be2fa43362e4e0b69792f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4ad3e0fd2eddbbd05a571142f93534256beae7d1d7be2fa43362e4e0b69792f8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1438496/
Cape
Cape
https://www.capesandbox.com/analysis/170641/

Comments