MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56055b9e7bc2e6577527cb86ca9e8598fa7caf9a909bbdb3e69b27a2236c9da9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56055b9e7bc2e6577527cb86ca9e8598fa7caf9a909bbdb3e69b27a2236c9da9
SHA3-384 hash: 4e2388b01f9e23101fe2c6737928fee4fa87fa56a1958671300010f73d5a990658559aebe917fcf62a8e81baaefa866a
SHA1 hash: 7f69986f9fa5eeb942c984e62124674ff6322d47
MD5 hash: ae687391859bad88072fd1a6fd1fd7dc
humanhash: north-green-queen-march
File name:Payment Advice copy 000030,pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'487'744 bytes
First seen:2021-08-02 05:27:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:x7580y580fX7Y8FiX0dL7XkHzdMZ6moJoX2nfi5:cSiX88sO7UTo6fJpnY
Threatray 33 similar samples on MalwareBazaar
TLSH T182F5129E7440DABBD61D23F55118D88042B99814D227FBFEBE62627223D1B794F24CF2
dhash icon b271e8e4d4ccf070 (22 x AgentTesla, 14 x Formbook, 11 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
635
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice copy 000030,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-02 05:52:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b953cc77-c2fc-420e-8394-deb3f4450249

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175642/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DLO.genEldorado.21861.5014.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Blocking the User Account Control
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3226ba1e-d418-48e3-8f8d-79a008214e5f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/825333
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56055b9e7bc2e6577527cb86ca9e8598fa7caf9a909bbdb3e69b27a2236c9da9/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 04:35:52 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kycvxht3yltfo5jhzodmvhuftd5hzl42scn33m7gtmt2ei3mtwuq._file
Verdict:
unknown
Similar samples:
1822d8a4ee73275bfdd30f46630b488c8baeb428476e9004d782f968c9ecc1a8
RedLineStealer
280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f
RedLineStealer
289e754a2cf583d9f99c47497555cc32130db6dc115e5bdcc18498bc23fb2f2a
RedLineStealer
664d01b3c99b6b4ce88556cc8ca1705fba37b0463b91d367cb2384f45b9de8ce
RedLineStealer
70466eb081829487f1d792ca76eafd8c1b2a7a0c8662bab867cb9d04f5ba1ea4
RedLineStealer
ae37bee148d1523236eef975fd02b5c461bae3e9edd4dfcb12d76a0b8015a5fe
RedLineStealer
b11a974fee906fcfbfadce6a615552bb396a0ab0fa891f87f78476f5e63da275
RedLineStealer
bdf4f9852ab895ece675c5b98ab1fc53fa962a7550385cb72cfb407968254e01
RedLineStealer
e50bf20dc2d0f80249246b50ae0b4a780442f3162f3d9e1b471d52ce7c24ab80
RedLineStealer
f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0
RedLineStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210802-nryxp1l56s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UAC bypass
Unpacked files
SH256 hash:
48a6fe3ec8148ee871718c57e94b594be24417dc935c5cb44a3b51e82f54cd5a
MD5 hash:
2967f3101f5f419c899e3b728170101f
SHA1 hash:
cdf000649d825f006e7002b46e849e35f9358d60
Link:
https://www.unpac.me/results/4624deb7-e4c8-4d3f-a2a9-b8dce2aff5b0/
SH256 hash:
c68058c2bcb051c1bc74ded62a2890eb334d27857f1da0c6915c4c6cb6e6dfab
MD5 hash:
70045f376e288e0a9ee545310f73678b
SHA1 hash:
42428378607376cc4c7f8b5c25d2e59bd9f8bcd0
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/4624deb7-e4c8-4d3f-a2a9-b8dce2aff5b0/
SH256 hash:
cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c
MD5 hash:
a0f625a3d3348903f3c902f588c0e4f5
SHA1 hash:
20d1f0b74abe6f500e8c21119f55281926210ac0
Link:
https://www.unpac.me/results/4624deb7-e4c8-4d3f-a2a9-b8dce2aff5b0/
SH256 hash:
4e97a7e6544f4e4d75652b7812376dda06274c21ad94e67b2ba912d49927dd5a
MD5 hash:
2bad87d1bb6c9804705c81b56731aa43
SHA1 hash:
303f30103acdff64c7b6343fe08259775fde776d
Link:
https://www.unpac.me/results/4624deb7-e4c8-4d3f-a2a9-b8dce2aff5b0/
SH256 hash:
56055b9e7bc2e6577527cb86ca9e8598fa7caf9a909bbdb3e69b27a2236c9da9
MD5 hash:
ae687391859bad88072fd1a6fd1fd7dc
SHA1 hash:
7f69986f9fa5eeb942c984e62124674ff6322d47
Link:
https://www.unpac.me/results/4624deb7-e4c8-4d3f-a2a9-b8dce2aff5b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56055b9e7bc2e6577527cb86ca9e8598fa7caf9a909bbdb3e69b27a2236c9da9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:silentbuilder_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 56055b9e7bc2e6577527cb86ca9e8598fa7caf9a909bbdb3e69b27a2236c9da9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175642/

Comments