MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff
SHA3-384 hash: 1ce531599b8a30c937139e6894c809215b56c049dad1d724e657514f3f5d2ecc106a7692c3dd11d1c095a61e5741ba40
SHA1 hash: d541b4c7d40ad12665afab24d664e0a2db2e24ba
MD5 hash: a6e1e712218d7be57c7b7035edd5cbb7
humanhash: bluebird-arizona-pip-carpet
File name:a6e1e712218d7be57c7b7035edd5cbb7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'413'252 bytes
First seen:2022-01-19 23:42:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JwEQhtu5BB/c5NSNMFvsuDTN1EDxeLuoe9RwwGWtFzQP:JvuWBB4SNKvs+1EleLuoe9RwwGWLEP
TLSH T1D48633D3077D681FDEE502374093B1655BBF0B202BDB8E5E9E2D96A3D18F66460B1AC0
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.255.57.115:59426

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.255.57.115:59426 https://threatfox.abuse.ch/ioc/304378/

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6e1e712218d7be57c7b7035edd5cbb7.exe
Verdict:
No threats detected
Analysis date:
2022-01-19 23:46:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bd867f5-2fc7-4c5e-953f-aa466eeeb97a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/220843/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4811/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed redline shell32.dll
Link:
https://www.filescan.io/uploads/61e8a20f0f8c757253ce4086/reports/4014590d-9947-45ab-b89a-623e757fcc95/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dcc4d1b6-7257-4e4e-a022-a1f94faa4114
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923955
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Encrypted powershell cmdline option found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Suspicious Encoded PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556433 Sample: CQcSIq9q3S.exe Startdate: 20/01/2022 Architecture: WINDOWS Score: 100 79 46.30.41.232 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 2->79 81 signaturebusinesspark.com 103.211.216.223, 443, 49754 PUBLIC-DOMAIN-REGISTRYUS Seychelles 2->81 83 4 other IPs or domains 2->83 127 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->127 129 Antivirus detection for URL or domain 2->129 131 Antivirus / Scanner detection for submitted sample 2->131 133 16 other signatures 2->133 11 CQcSIq9q3S.exe 10 2->11         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->59 dropped 14 setup_installer.exe 23 11->14         started        process6 file7 61 C:\Users\user\AppData\...\setup_install.exe, PE32 14->61 dropped 63 C:\Users\...\61e59bf4142c3_Mon16e8cda455d.exe, PE32 14->63 dropped 65 C:\Users\...\61e59bf1f2b0e_Mon16a6c2631.exe, PE32 14->65 dropped 67 18 other files (11 malicious) 14->67 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 75 raitanori.xyz 172.67.217.227, 49751, 80 CLOUDFLARENETUS United States 17->75 77 127.0.0.1 unknown unknown 17->77 123 Performs DNS queries to domains with low reputation 17->123 125 Disables Windows Defender (via service or powershell) 17->125 21 cmd.exe 1 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 17->25         started        27 12 other processes 17->27 signatures10 process11 signatures12 30 61e59be429b18_Mon1664da5b3cc.exe 21->30         started        35 61e59be347cec_Mon168ad5c1c0.exe 3 23->35         started        37 61e59bec910ce_Mon1669a720.exe 25->37         started        135 Disables Windows Defender (via service or powershell) 27->135 39 61e59be5e9557_Mon16fc32af8c71.exe 27->39         started        41 61e59bee22906_Mon168d46fc88.exe 27->41         started        43 61e59be8847ce_Mon16d36d8a68.exe 27->43         started        45 6 other processes 27->45 process13 dnsIp14 85 ip-api.com 208.95.112.1, 49744, 80 TUT-ASUS United States 30->85 87 45.136.151.102 ENZUINC-US Latvia 30->87 69 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 30->69 dropped 97 Antivirus detection for dropped file 30->97 99 Multi AV Scanner detection for dropped file 30->99 101 May check the online IP address of the machine 30->101 47 11111.exe 30->47         started        103 Machine Learning detection for dropped file 35->103 105 Sample uses process hollowing technique 35->105 107 Injects a PE file into a foreign processes 35->107 109 Detected unpacking (changes PE section rights) 37->109 111 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->111 113 Tries to evade analysis by execution special instruction which cause usermode exception 37->113 115 Hides threads from debuggers 37->115 89 iplogger.org 148.251.234.83, 443, 49750, 49752 HETZNER-ASDE Germany 39->89 91 www.listincode.com 149.28.253.196, 443, 49745 AS-CHOOPAUS United States 39->91 93 192.168.2.1 unknown unknown 39->93 71 C:\Users\...\61e59be8847ce_Mon16d36d8a68.exe, PE32 43->71 dropped 117 Encrypted powershell cmdline option found 43->117 95 78.46.137.240 HETZNER-ASDE Germany 45->95 73 C:\Users\...\61e59be70fabb_Mon1647f3c3f0.tmp, PE32 45->73 dropped 119 Obfuscated command line found 45->119 121 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 45->121 50 61e59be70fabb_Mon1647f3c3f0.tmp 45->50         started        file15 signatures16 process17 file18 137 Multi AV Scanner detection for dropped file 47->137 139 Machine Learning detection for dropped file 47->139 141 Tries to harvest and steal browser information (history, passwords, etc) 47->141 53 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 50->53 dropped 55 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 50->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->57 dropped signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 04:22:19 UTC
File Type:
PE (Exe)
Extracted files:
409
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jp36iln3tntswowxtxhm4tn7rih732swgthh6zbf2bntdsq2sl7q._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:smokeloader family:socelars aspackv2 backdoor discovery loader persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220119-3qlmgaebal/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://www.kvubgc.com/
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
5016791e68923e487490a99dd308857b8f12eb3d42018693a2efc4f817e593c3
MD5 hash:
7f5ce18b5fd544fe1c4478070ac5a8a7
SHA1 hash:
11c33b9c8d587090ac4ac3c14b779d4068506409
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
8dd540727940bfef9cf661b5efb1cc01ab5406d7bf1117413042560c8257cf16
MD5 hash:
7d267a8912c700ca5d6f3736f0b575ba
SHA1 hash:
ff9872e9da01e5584a1acc23cbb9a1f700bb160b
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
e38a8ccf4894792679323c0bb51c2c75c3540076fed192f9aa6371a5c752ab5b
MD5 hash:
11e2aaab6dfe22a9aab8f2083deb5776
SHA1 hash:
feba86d5d1a7b945987ba175c206fe01ab6e27b4
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
ceefc52d45579179ab919722f8dcf630044e1236a530542ce0a8f314f9700dd6
MD5 hash:
ee15ded7b009be94189052b14b0c0879
SHA1 hash:
e941c934d015c6fe16ab08e8e32943364c79dd5b
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
a36b23d78ef0dc642c12a4c6fdd5b89b055b4ca3fecd15b29ba053024d94becd
MD5 hash:
40c197b3f62220bfb0a8baf3f49c1bd3
SHA1 hash:
e80b6b02df6c7d0020f4ffc4264fe74e50591489
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
512e94c9a2fa7e11950f1c2924940d54713d1e3f8a7939ff0b831c4efd5f361c
MD5 hash:
04cb1f5ba711b6706da6b7d2f701a88d
SHA1 hash:
c153f4ad04271f70fb6470a77d8fdffab1f4c1b6
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
7d46b25b8c17c9c33b278aceedc58fd63bac070cf81bbe69ff86a2d08a498f51
MD5 hash:
b041b51a645e9c30eba344efd8ad33b8
SHA1 hash:
8d74ed507bdc8128e6be390b72bba1b5022bed31
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
002e654c9b385355ab2ede71cb5a8b39fd049a27447974e0cf9245979c8b37b1
MD5 hash:
76a3d8d1c633488be543adba8abecf66
SHA1 hash:
8021edba8c2199b9c5214ce7d24dc8890cdf35a2
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
518ee034485614a237ddb63543620a0b92e30811081282f85d7fb390c529d8bf
MD5 hash:
6a68e525dae167134f8f4ace7a37f848
SHA1 hash:
7c3324386360047d7df6d16a7405ed6092634891
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
d10743bd7d352924dd2a1c73ec9849ce819c47eb9db9adf08872b5406a4bc2f1
MD5 hash:
cf1b116644b9f54bfbc43eb1c161efbf
SHA1 hash:
68abb82e2a58a8e417cc4e088687b5a867e6309d
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
305521ef91f990f9463ea5ee40a3f845fff77596069fe07bb56382650b0c5b0f
MD5 hash:
54957c8cbebba48f307197fc7824a559
SHA1 hash:
54c8342da8f51883ca448208914e5212c2b0010f
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
77dae8bfb2f71eb22292e284468dae35f8a7f0d6bccbb655979839447d13634c
MD5 hash:
89e7d1d102e675ef49f3dbf4040617e7
SHA1 hash:
38e83ba9c7201ea942fd5f6f464d4537007c1cd9
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
1797275e75d8bbcf8fc250cd21e7d2bfffe3d2f8822b6769c32e0865fc13159d
MD5 hash:
0d8e33078e1a52d4b070476cd9283e4b
SHA1 hash:
f3f7959cc8158e06aa1248b174ca68386387a837
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
c67d03aab3ed99556c901190c120407749e94cfd10a3478b6a78985a475efa1b
MD5 hash:
efd491a6a1cf1fdfdbf29ca25753af40
SHA1 hash:
3bddc4c097ce86792b0fb170052c7aba5b1bb82b
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
7a4a98b06f932b4f57ddecab0749d176c870446c87035f2fdf04a7e760b70cd4
MD5 hash:
98b4cfbcd80585cf2e74a300652abd5a
SHA1 hash:
91930cea720fbb3843963c04c0f8091d86cdc9d1
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
bd0f3906c407bc016a70d09c65944ef74b5fd63f6eb17856e78b048f0e39402d
MD5 hash:
238cc5a0680612f0cea8916d91c8a106
SHA1 hash:
3873c55a3e87b4c4e1fe899f012922e22e00f2e5
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
a7285211e5a5e34c6b534b89042303fb0029273cda0cc5a31466bbb2fce323ff
MD5 hash:
17aead068d776e9d504d9e3360428d82
SHA1 hash:
2c40a4ed045f9ed5e0e9c8227145b9f7a49827b7
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
cb1d529d38e618c7dc738abb6828b7810f2febce55239504b6f3ec18b593fa3e
MD5 hash:
f870fbc2aec8ebba0b14bb4304c3a46f
SHA1 hash:
d26da22cbeb7469d77742e6d5025fd22d4e15d2d
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
587ddbf376ad9cb325b931a11ae315d0c36577c1bfdab3e99a89bf441a4b5ebd
MD5 hash:
761a99a8c9064498492a9cae2cdc191b
SHA1 hash:
0e4c77f79642fe44493d912ed3b7457bfba3e6ad
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
3bed85b661ed38bfbb8783b54c8569b94a893ea0fa21a18330c37faf87bfe8f5
MD5 hash:
129137dd228a08a3a057cd0e9211d577
SHA1 hash:
e76ec6f80fee2b6e9474bdea644ec42960e69e9c
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
de0bb52f30c3fc230e889144eda5733da41fd6ea8a87e7a89d003cd5eb60ae7d
MD5 hash:
cc7b12066afc3bc53e9e632df9a83400
SHA1 hash:
3bf222561af755b347e7e21b3ea6515a2d2177e5
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
8d2d5a7122d4fa191042b76e74835889a23c5e0733b8b4ee69aaf5eec3a03d16
MD5 hash:
d0dbf4b834dfdbc48d18d186af488734
SHA1 hash:
a3ba92242c589ee7e502a23679d22abf5759d2ec
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
e38ab0abd0fe61ba235d8a3d58456e9b9f9b2df90fd2f1671f3bcc5224560550
MD5 hash:
365b86514fb4d365fee3c91786d0968b
SHA1 hash:
74d5781186cc09cda09b5f45f092383a5c9e1f23
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
378a95149c41a5ac8f922c962423e5e7c75d9db9397c2416e8bc8f185147f9a4
MD5 hash:
e1314a9a8af328c81a67fbbea0a226d3
SHA1 hash:
1a887fe5962a1ea70ab58a460afd2f17d0d9e589
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
3f7020b86db1fc4573c6c3520d2c1ef2441dbf65d4db64eeff3ce14c39b623ee
MD5 hash:
472ba09afffdad198a85bdff2425072c
SHA1 hash:
4c7e38b5776ef6e257db05a59f8c261174e1c050
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
54ea4832965befedad8e90d9eb218c3832a6f3f5a848ff33adc12c2769a1b498
MD5 hash:
835a7524522fd7148e27ac4a9d68c00c
SHA1 hash:
768a2b6c6f0d3694131c0d4171a479537163b417
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
SH256 hash:
4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff
MD5 hash:
a6e1e712218d7be57c7b7035edd5cbb7
SHA1 hash:
d541b4c7d40ad12665afab24d664e0a2db2e24ba
Link:
https://www.unpac.me/results/83711c41-6082-4949-bdb8-63f1c38986f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/220843/

Comments