MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5857a02db49d07884fcb36766841c7b4a20f671c06092ffe03dbd44c786c59c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5857a02db49d07884fcb36766841c7b4a20f671c06092ffe03dbd44c786c59c1
SHA3-384 hash: 3c7aa5581ef5538744c672469d352978dbb3688089179271f85aba19f6566f65a18ba275374934df5fa5494e5f200fa9
SHA1 hash: 8f5a6338bd4121d275d14264820332b3b160a1f0
MD5 hash: 2e503ce2710dce61a75fb20c25c5c5d8
humanhash: ceiling-north-arizona-social
File name:2e503ce2710dce61a75fb20c25c5c5d8
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'018'880 bytes
First seen:2021-06-22 19:58:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:43HBWZ5lBh5q2g/ws7WG6TUzoLnro1ry5VtfPzNQ4BARlltXYKDVxUrdY6d012KS:4AjlB1gJ7WG5zo7roxybB6424KDMORi
Threatray 602 similar samples on MalwareBazaar
TLSH 432533F53A919C6EC453CEF122D15EA993E5E40707836F8F5CD700CA875DE68A882E63
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e503ce2710dce61a75fb20c25c5c5d8
Verdict:
Malicious activity
Analysis date:
2021-06-22 19:59:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5b05ecdc-ad4b-4072-82e4-b644289ba475

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167681/
Detection(s):
Win.Packed.Redline-9871569-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a51a18c7-a4d1-446d-832f-3ecc3bd6b7f5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
51 / 100
Link:
https://www.joesandbox.com/analysis/806255
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5857a02db49d07884fcb36766841c7b4a20f671c06092ffe03dbd44c786c59c1/
Threat name:
ByteCode-MSIL.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-06-11 15:17:35 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
RedLineStealer
2c3699075c78a3f48bef95a36791f434bf9859311c4ef6545e39807395d1f054
RedLineStealer
40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8
RedLineStealer
6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
RedLineStealer
71c330dc0c9a097cff8c39bd6652d80abc50c4bd5f00543725bb77a419ab7277
RedLineStealer
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
RedLineStealer
7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4
RedLineStealer
7b00b1329b4e57c45b5b7be936ac9c3b2f8f747e6a2b2d86642f8cd3deca5ab5
RedLineStealer
8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
RedLineStealer
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
RedLineStealer
+ 592 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210622-q49e9g3ecj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
816d40a06faf8ba1ad48f4eff2494c149d5ce752c6f4def024810a0aac83bfa7
MD5 hash:
b7530cb294b43a2e7046a6f371843b72
SHA1 hash:
d11852ea4aeacc911e361ca2458b35bc8eeaa72d
Link:
https://www.unpac.me/results/63a31f1c-69ba-4a57-a6a8-1b13ec82738d/
SH256 hash:
5eeafe86e9f3849f6eccd0015ab58e749770c7c36e6401a32ad09e3e5bcbf7bd
MD5 hash:
7c17988581ce3335024b368c3932a518
SHA1 hash:
47a620b0e70a679c68532db99a78a8777a85563f
Link:
https://www.unpac.me/results/63a31f1c-69ba-4a57-a6a8-1b13ec82738d/
SH256 hash:
5857a02db49d07884fcb36766841c7b4a20f671c06092ffe03dbd44c786c59c1
MD5 hash:
2e503ce2710dce61a75fb20c25c5c5d8
SHA1 hash:
8f5a6338bd4121d275d14264820332b3b160a1f0
Link:
https://www.unpac.me/results/63a31f1c-69ba-4a57-a6a8-1b13ec82738d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/5857a02db49d07884fcb36766841c7b4a20f671c06092ffe03dbd44c786c59c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5857a02db49d07884fcb36766841c7b4a20f671c06092ffe03dbd44c786c59c1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1389327/
Cape
Cape
https://www.capesandbox.com/analysis/167681/

Comments