MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c62c2ecd995bf191bb07ef249faea4c1f1f1e05a60fcdf60743cbd4bb9dc4da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	4c62c2ecd995bf191bb07ef249faea4c1f1f1e05a60fcdf60743cbd4bb9dc4da
SHA3-384 hash:	179fc289da8302ad0f7e0f351166fef342d655926d01db413dd647c0696fd5f564cd05ef07a2f8714adbc0af2c8e892b
SHA1 hash:	555feeac19216ee1d054209cb976a57c82aa88a2
MD5 hash:	542ac52c4d78fc0438756572bebbcf7e
humanhash:	vegan-delta-michigan-india
File name:	DHL Shipping Instruction_Pdf.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	544'768 bytes
First seen:	2021-05-20 17:50:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:5JxoEKzlYlPKleAjcLTfPyz8n4CF7A6C6V4xsE9H:5uzGPmeAcvqYpAxZ9
Threatray	104 similar samples on MalwareBazaar
TLSH	57C4F13622D92F4AE57EAB79153010100BFBF499E736F70E3E9554DE49A7F0086B1B22
Reporter	abuse_ch
Tags:	DHL exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/160248/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.747-1.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/786452

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c62c2ecd995bf191bb07ef249faea4c1f1f1e05a60fcdf60743cbd4bb9dc4da/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-05-20 17:51:20 UTC

AV detection:

17 of 47 (36.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jrrmf3gzsw7rsg5qp3zet6xkjqpr6hqfuyh435qhipf5jo45ytna._file

Verdict:

unknown

RedLineStealer

2f7909f2f9c886007630cef749f408d4d7be271182dadf6bb0ff6924ad65703f

RedLineStealer

619d9096cb708a01989167ca3444d7b47e765a87e063ce7e6b190e0a951f20db

RedLineStealer

65aaafb0ff30d74d71b57e4890e42f6cb9dce158b853e336971c7d1a717a07c1

RedLineStealer

7db918fd5b12da70b9084a2d452d94b9d6e8daa64a91f233e22ed2ee13551777

RedLineStealer

8cfafa2cbc8c24afe00f82ca7beef18000cd3ad1a2f45c97a0a6e1921df0c92f

RedLineStealer

b63ecc7941b1c62dc98d59344ec81a623276033f889fa43628010fc54030e100

RedLineStealer

b69927fbfd7eb038b59aa9b7e9f49cb02d127d48fcf6517e65a379e982e806bc

RedLineStealer

bc34e83f5140537d1d23f5124dbb73a2ebaaaea8f29f1c1313fbb845dc223618

RedLineStealer

fa789875b40eca3ae99afa6390d67b134a0a193938a484805b0d471a8c12febe

RedLineStealer

+ 94 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210520-7we5pxjane/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.68

Link:

https://yomi.yoroi.company/submissions/4c62c2ecd995bf191bb07ef249faea4c1f1f1e05a60fcdf60743cbd4bb9dc4da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/160248/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample