MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038
SHA3-384 hash: 217201fd752ab958e6dcbb0f24bdc3ef7c761e9dd0de5304316101f7aa157d82ba74c6fc8b959ecd9c91f31964448cc9
SHA1 hash: 2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb
MD5 hash: 0025bb6d0a9d41a97e19d014fd237e09
humanhash: oven-one-freddie-muppet
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'205'184 bytes
First seen:2023-03-08 13:36:46 UTC
Last seen:2023-03-08 15:28:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:1jzUCIk+1a7hKVy7fH6PlTooUy9KhJNN38g:5UCIk+E7h/fBFGKhF3
Threatray 68 similar samples on MalwareBazaar
TLSH T156A5DF3CF8A99AD6E13AF7738557E210F3F550F3B311C8166EE2898402B4A75A2DE50D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET exe MSIL RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-08 13:38:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09c79b26-214a-4155-a5b8-d98f31505daa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372597/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.53953.14378.28085.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64088f80ed3d33698044bf83/reports/97c0e264-3297-4256-8d5d-ef0572801a58/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038
Malware family:
Tandem Espionage
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4189dc2b-18c0-4121-8ee2-749df7a5508d
Result
Threat name:
Eternity Worm, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189731
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Eternity Worm
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 822603 Sample: file.exe Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 Antivirus detection for dropped file 2->70 72 10 other signatures 2->72 12 file.exe 2 2->12         started        15 file.exe 2 2->15         started        process3 signatures4 92 Self deletion via cmd or bat file 12->92 94 Injects a PE file into a foreign processes 12->94 17 file.exe 5 12->17         started        21 file.exe 12->21         started        96 Multi AV Scanner detection for dropped file 15->96 process5 file6 48 C:\Users\user\AppData\Local\...\file.exe, PE32 17->48 dropped 50 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 17->50 dropped 52 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 17->52 dropped 74 Self deletion via cmd or bat file 17->74 23 cmd.exe 1 17->23         started        signatures7 process8 signatures9 76 Uses schtasks.exe or at.exe to add and modify task schedules 23->76 78 Uses ping.exe to check the status of other devices and networks 23->78 26 file.exe 2 23->26         started        29 PING.EXE 1 23->29         started        32 conhost.exe 23->32         started        34 2 other processes 23->34 process10 dnsIp11 84 Injects a PE file into a foreign processes 26->84 36 file.exe 15 19 26->36         started        64 127.0.0.1 unknown unknown 29->64 signatures12 process13 dnsIp14 62 167.88.170.23, 49701, 80 PONYNETUS United States 36->62 54 C:\Users\user\Desktop\FAAGWHBVUU.exe, PE32 36->54 dropped 56 C:\Users\user\Desktop\DQOFHVHTMG.exe, PE32 36->56 dropped 58 C:\Users\user\Desktop\BXAJUJAOEO.exe, PE32 36->58 dropped 60 85 other malicious files 36->60 dropped 40 swo.exe 36->40         started        file15 process16 signatures17 80 Multi AV Scanner detection for dropped file 40->80 82 Injects a PE file into a foreign processes 40->82 43 swo.exe 40->43         started        process18 signatures19 86 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->86 88 Maps a DLL or memory area into another process 43->88 90 Checks if the current machine is a virtual machine (disk enumeration) 43->90 46 explorer.exe 43->46 injected process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 11:17:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
16 of 21 (76.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jskm5wf4bnlinwvkq7der657th25cthsjpx5hiqdcocqlea5wa4a._file
Verdict:
malicious
Similar samples:
01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102
RedLineStealer
0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664
RedLineStealer
22d7e40c7ecc7fabf7f7b562e2d476dd0697e0f0482ce646de7771b44c29b1e9
RedLineStealer
67014237713d167e0676ed58d8aa095cbfef04cbc834c0dc512fd5c3df6285ea
RedLineStealer
d7a78307889ab55af6a1475ef731eaf1b19524601e093220afa3830707ff4810
RedLineStealer
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
RedLineStealer
dfa8a3136cdf32e554997545432c51b3c8c712500b857140f6d7f9ad1b1789d6
RedLineStealer
+ 58 additional samples on MalwareBazaar
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity worm
Link:
https://tria.ge/reports/230308-qwth2sfb69/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Eternity
Malware Config
C2 Extraction:
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Unpacked files
SH256 hash:
e537fe59c4a427ebb1033f30eec96a00f636e17152af982233412b983c2bdbb1
MD5 hash:
cfb35b5ee36a5bf7bf742cc71bfa83f8
SHA1 hash:
3fab9c9bcc7eb2b782fee100acd2d79522abf5ca
Link:
https://www.unpac.me/results/ca986b02-1b6f-4440-80e2-5232f26a7a24/
SH256 hash:
fa3a7b019a0141da37412e9ca5380f90bfa240e74a957e77c93bdc40d4cf6dbb
MD5 hash:
01fa94f05561eb3022356708793cf8b6
SHA1 hash:
3198d25f3613e134c184f940faa0d3e7a03f50f7
Link:
https://www.unpac.me/results/ca986b02-1b6f-4440-80e2-5232f26a7a24/
SH256 hash:
671c0892d856f7f4e93f393cdee10fa1d4a79c8be3a91c811b6bb87e74117bc5
MD5 hash:
f89e368df4cbb9671cbae6f74f3e21ab
SHA1 hash:
d78f00e3766e0a30b1dba9792e5de260d210cc23
Link:
https://www.unpac.me/results/ca986b02-1b6f-4440-80e2-5232f26a7a24/
SH256 hash:
627d9fb051c2603fa73c0a7a186e4abc9a34117e3e2e01eee762ae28ccf88d1a
MD5 hash:
cc5b5cd0c664ab1895b002297305cf87
SHA1 hash:
746083c88f0b1dccc68a05fc02abe43e8f0be890
Link:
https://www.unpac.me/results/ca986b02-1b6f-4440-80e2-5232f26a7a24/
SH256 hash:
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038
MD5 hash:
0025bb6d0a9d41a97e19d014fd237e09
SHA1 hash:
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb
Link:
https://www.unpac.me/results/ca986b02-1b6f-4440-80e2-5232f26a7a24/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c94ced8bc0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/372597/

Comments