MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58149a24884e425f40c7f2dfd541e5380573e4dccf270564b4ae71df235bbc87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58149a24884e425f40c7f2dfd541e5380573e4dccf270564b4ae71df235bbc87
SHA3-384 hash: dabe3b6885b5bd2860cf5de8dae33f49f322e99e601b483d4f7ea2660d602902377a6cbc367b2cccf34530ef54eb15da
SHA1 hash: 4387d6cfc47aa32c56ad2181db8d422cd5a80ed5
MD5 hash: 8e0858c676bfce53f2a0473fb3c353be
humanhash: cold-twenty-sink-winter
File name:8e0858c676bfce53f2a0473fb3c353be
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:737'280 bytes
First seen:2021-08-09 19:08:26 UTC
Last seen:2021-08-09 20:00:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:i9IbS3UFckbtZn/pW8NgROoKiKj1vqeXuL9f0sEGUD/hTkCl58+f2:NSkFckbtlpWHwokjEeexYlD/hYClrf
Threatray 658 similar samples on MalwareBazaar
TLSH T1F3F4D0367B54CA46F32C6476C2EBC3380BF059B619B3D327BEB436AC54593822C4B599
dhash icon 8cb2333333332382 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8e0858c676bfce53f2a0473fb3c353be
Verdict:
Malicious activity
Analysis date:
2021-08-09 19:09:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12fd9548-db77-41fd-ac52-ab9039937a6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177750/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15229.4714.11312.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edc2173a-7d7a-41c6-9936-cedf0834cc2f
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829598
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462026 Sample: UnEu3P0sQM Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 5 other signatures 2->33 7 UnEu3P0sQM.exe 6 2->7         started        process3 file4 21 C:\Users\user\AppData\Roaming\bogftd.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\Temp\tmp7C4.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\UnEu3P0sQM.exe.log, ASCII 7->25 dropped 35 Uses schtasks.exe or at.exe to add and modify task schedules 7->35 37 Injects a PE file into a foreign processes 7->37 11 UnEu3P0sQM.exe 1 7->11         started        13 schtasks.exe 1 7->13         started        signatures5 process6 process7 15 UnEu3P0sQM.exe 11->15         started        17 conhost.exe 11->17         started        19 conhost.exe 13->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58149a24884e425f40c7f2dfd541e5380573e4dccf270564b4ae71df235bbc87/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 23:02:46 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
RedLineStealer
30320c23745d14085669f891d3805c6fb3823496cbea8fcae4384cfecd505f49
RedLineStealer
3a6c6ec5b5e168e0452009714a8d37581459b8d386c26ef69c98a6802d5e65d6
RedLineStealer
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
RedLineStealer
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
RedLineStealer
9169cc1093e14262e9d08db10152ee815f88ed87d12bc7b934c3645d23f347ea
RedLineStealer
97c558bcbdaf21258e91098900d19e1ba944379a779a6a7c57aec46ea3de5438
RedLineStealer
d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46
RedLineStealer
d7854719c33f72a1afa0c562bdf44a8941b4017fbe90a215636aad91d1bf4f10
RedLineStealer
+ 648 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210809-e938k8p55s/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
04d7bbb2c24f0fe9ce61d82e9e679b98b4df56e2ac5f81b13944468db5a40dd6
MD5 hash:
7fe7bb385a4c5b086d2b769503871478
SHA1 hash:
ba8298817a4638fbe4212f91801c0470fc74e428
Link:
https://www.unpac.me/results/0573b152-5873-4c32-9282-e0a07908bbd9/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/0573b152-5873-4c32-9282-e0a07908bbd9/
SH256 hash:
d7854719c33f72a1afa0c562bdf44a8941b4017fbe90a215636aad91d1bf4f10
MD5 hash:
296968fa478ce8b4832446c33afc37a5
SHA1 hash:
b8331521ad1beb8814c5b50d9e16430440bb2947
Link:
https://www.unpac.me/results/0573b152-5873-4c32-9282-e0a07908bbd9/
SH256 hash:
29f7c19274129e04022d26e6a69ea9d025e2effae784686a3ec783d08a55d0d3
MD5 hash:
fd1b92c0cd2d5cedbbf6bacf544503d8
SHA1 hash:
685d14fb3cf7cebde4951eb5d5271e1b54e4f2cd
Link:
https://www.unpac.me/results/0573b152-5873-4c32-9282-e0a07908bbd9/
SH256 hash:
4c052ec6f28d9ffa2017bf97532d61a97587b1aade70044d2e7c2cdf77f97de0
MD5 hash:
19895efd2a9d2bc96e501781c47216d0
SHA1 hash:
43dfb6bcef4bd9977ff0d2ee7d598f0eb009003d
Link:
https://www.unpac.me/results/0573b152-5873-4c32-9282-e0a07908bbd9/
SH256 hash:
58149a24884e425f40c7f2dfd541e5380573e4dccf270564b4ae71df235bbc87
MD5 hash:
8e0858c676bfce53f2a0473fb3c353be
SHA1 hash:
4387d6cfc47aa32c56ad2181db8d422cd5a80ed5
Link:
https://www.unpac.me/results/0573b152-5873-4c32-9282-e0a07908bbd9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58149a24884e425f40c7f2dfd541e5380573e4dccf270564b4ae71df235bbc87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 58149a24884e425f40c7f2dfd541e5380573e4dccf270564b4ae71df235bbc87

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1493959/
Cape
Cape
https://www.capesandbox.com/analysis/177750/

Comments


Avatar
zbet commented on 2021-08-09 19:08:27 UTC

url : hxxp://45.137.190.166/clip.exe