MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b463ff0e6e333d5f6b91d5bca2c76ce6fde2cd697af87aac8a1984548829d2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	4b463ff0e6e333d5f6b91d5bca2c76ce6fde2cd697af87aac8a1984548829d2c
SHA3-384 hash:	0dedc344a998029917a5d706c96a5e02ed68d6d9e4f770793ed2fa1e523fb36d345bbb443186395b461ae4a943318f24
SHA1 hash:	4187e7409ea896df78a9de79d25c7155d73d0ca0
MD5 hash:	72595a85b26af149529e59295cd4488d
humanhash:	carolina-grey-hot-south
File name:	RFQ scope of requirements PDF.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'343'488 bytes
First seen:	2021-08-17 05:20:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:VsEQDcIcOz1dpMPPWEEzJFnZ/BDEWL4M3TapfY9:eNJB3ZEITqfI
Threatray	16 similar samples on MalwareBazaar
TLSH	T1D655D93815B43A37E179C339DEE4482BE6D4F45BB211AA1A70DE57670243E42B89327F
Reporter	GovCERT_CH
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ scope of requirements PDF.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-17 05:22:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/80b22188-99e1-47cb-b024-e0046626ad58

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/179846/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.998-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/49c4579e-2271-440c-be3f-2c34a46f20fb

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/834093

Signature

.NET source code contains very large strings

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b463ff0e6e333d5f6b91d5bca2c76ce6fde2cd697af87aac8a1984548829d2c/

Threat name:

ByteCode-MSIL.Trojan.Hesv

Status:

Malicious

First seen:

2021-08-17 05:21:05 UTC

AV detection:

12 of 46 (26.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jndd74hg4mz5l5vzdvn4uldwzzx54lgws6xypkwiugmeksectuwa._file

Verdict:

unknown

RedLineStealer

374faa3594f8c5b22bff30ad8f7a42b24165397a013f8c6ddf68ae2a822e7e6e

RedLineStealer

554e86316de7db62bc551038465cdb026c9a78664e75374a4b87bbc07b89c4d3

RedLineStealer

6e94ad2cfcfdb5b7e94f52665edc3f5aab39ef286f164db5cd136086a26bb8fb

RedLineStealer

ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e

RedLineStealer

c0258a01a5881d1f5de632d7617a0e225173696db23fb99f72ea1c84e6be396c

RedLineStealer

d0793065451ae93e07e34af2d96929631fb3021595fdb6b68f5407d657918538

RedLineStealer

edd956a7bc18bf82d3716d1b7a9a485c7ed665edd53cd9459580e005e2735c17

RedLineStealer

f56ecbfb3ff67a82d23b8ddfa5f8cb46fc23b429056e02abddf30bff0630ec29

RedLineStealer

f6a307d243c407c27489de37adac83e9205be531cbb4e2cb71545627faf813fd

RedLineStealer

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210817-b4mcdnm1ks/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

MD5 hash:

03bde4a82ad64c0f314985232fbca3fa

SHA1 hash:

e8d0b6339e94192eaaca32c812f914e60576dca6

Link:

https://www.unpac.me/results/e28ed839-ccfd-4722-8ac8-58c11fe1d32e/

SH256 hash:

4b463ff0e6e333d5f6b91d5bca2c76ce6fde2cd697af87aac8a1984548829d2c

MD5 hash:

72595a85b26af149529e59295cd4488d

SHA1 hash:

4187e7409ea896df78a9de79d25c7155d73d0ca0

Link:

https://www.unpac.me/results/e28ed839-ccfd-4722-8ac8-58c11fe1d32e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.52

Link:

https://yomi.yoroi.company/submissions/4b463ff0e6e333d5f6b91d5bca2c76ce6fde2cd697af87aac8a1984548829d2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

exe 4b463ff0e6e333d5f6b91d5bca2c76ce6fde2cd697af87aac8a1984548829d2c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/179846/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample