MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5be742e9644f86ef1d407e5b3e85dff6211561e6dbf9c9fc85b0c5289b899979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5be742e9644f86ef1d407e5b3e85dff6211561e6dbf9c9fc85b0c5289b899979
SHA3-384 hash: 73f192b7f4bc61621029d6ed0f0985771108a80bea51c44ae1f71897d15af69e9f4b888ca90fae71a44700ae29c5412d
SHA1 hash: 1fbb82c5d47ff4f9e24437edfac4100d04cea6f3
MD5 hash: 9742c05bbed2b1084b81fabd51a2af33
humanhash: golf-vegan-one-colorado
File name:9742c05bbed2b1084b81fabd51a2af33
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:652'800 bytes
First seen:2021-10-09 07:50:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qdlTbQ+X8+UiDLbRHahCFOT5+AxAPLfC19mTuBoVd/Pucx32HBNifbgI:QbQ+X8+UiDLbRHahC6xATo9mxdIHBNUM
TLSH T1ADD47B68E22FD76AFD1923F0253CFCD015F82A69247CFA27BE9651E23489E3151B0257
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196283/
Detection(s):
SecuriteInfo.com.Variant.Fonctuzim.1.13267.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1068-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616149ea334ba92bd9226c6a/reports/b26dda35-1ed4-4429-bbc3-b7cf30d50b52/overview
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867396
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499819 Sample: g1IjazIJQp Startdate: 09/10/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 g1IjazIJQp.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\g1IjazIJQp.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 g1IjazIJQp.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.skincodedaesthetics.com 103.67.235.120, 49817, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Philippines 17->30 32 www.islamquotesimages.com 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmd.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5be742e9644f86ef1d407e5b3e85dff6211561e6dbf9c9fc85b0c5289b899979/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 02:08:07 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:bckt rat spyware stealer trojan
Link:
https://tria.ge/reports/211009-jptrxafah7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.picnictablecompany.com/bckt/
Unpacked files
SH256 hash:
7d7501fb22cb18f10bfac1575359ff3a7e9ba934985a8184d02e5a26a3c4801d
MD5 hash:
4c1f6f8f4bf9678c49d6ea74baca3576
SHA1 hash:
3209fc3defa6d9eeb8ed06fe8cbcf6a69c84c782
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0b811219-6960-432d-91fb-2780cb963e55/
Parent samples :
7024147e75938acd54b804df172c63b57c794e1980632c5f8190ae1e9d0da82a
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b
043b45f9d94820186d7324c5f6e0fd7661de15ad29104fd43294e2f3839efa06
92c90d735148f7fd056e2d53bf44239f3fdab6b029e78d3ed6077d9c7f40aef2
c7ea020c54d4ce9a629d57feb15e38fac8457b14221386111ef022735e375d13
5be742e9644f86ef1d407e5b3e85dff6211561e6dbf9c9fc85b0c5289b899979
SH256 hash:
8284626bb324db0a4b2516f9b5dc1da92a26e6315f7a2fe771079a99021125fe
MD5 hash:
eaddb22aa4c81beb01cd9f45fb47809c
SHA1 hash:
dca3c2c7c76f332ad5cf31ab7be227de4e0aa6c8
Link:
https://www.unpac.me/results/0b811219-6960-432d-91fb-2780cb963e55/
SH256 hash:
e21e832ca417d1857607173ec2d8ba08bf3dc035879aec32e0f778b62acbb2fb
MD5 hash:
bbd42d9c9bfb49e2595a917ccf84983d
SHA1 hash:
64c0bf979a5b73e8bc5ca746a56212bcfe85640b
Link:
https://www.unpac.me/results/0b811219-6960-432d-91fb-2780cb963e55/
SH256 hash:
35134d7c8a011c75835fa2215165b54ad894280becccdac79d78960add5e7ec3
MD5 hash:
70280d34d80ac03b61f3ece658f2b620
SHA1 hash:
5f0429995539964adb18020c556c981c489c1114
Link:
https://www.unpac.me/results/0b811219-6960-432d-91fb-2780cb963e55/
SH256 hash:
5be742e9644f86ef1d407e5b3e85dff6211561e6dbf9c9fc85b0c5289b899979
MD5 hash:
9742c05bbed2b1084b81fabd51a2af33
SHA1 hash:
1fbb82c5d47ff4f9e24437edfac4100d04cea6f3
Link:
https://www.unpac.me/results/0b811219-6960-432d-91fb-2780cb963e55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/5be742e9644f86ef1d407e5b3e85dff6211561e6dbf9c9fc85b0c5289b899979

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5be742e9644f86ef1d407e5b3e85dff6211561e6dbf9c9fc85b0c5289b899979

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1583603/
  
URLhaus
https://urlhaus.abuse.ch/url/1599707/
Cape
Cape
https://www.capesandbox.com/analysis/196283/

Comments


Avatar
zbet commented on 2021-10-09 07:50:42 UTC

url : hxxp://lg-tv.tk/bankzx.exe