MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc
SHA3-384 hash: bcb53b53bf088256ebfa6a18b1fda51be8e0d21bffc1d70b0708e96d7e2b888347278a68fa716b70223536bee7fadb39
SHA1 hash: 5fe92c2d7dc68a5ffe2f40270bb994d8ea4e62ef
MD5 hash: c4050e6bdd335e319ca7b848d53b9108
humanhash: november-idaho-table-pennsylvania
File name:c4050e6bdd335e319ca7b848d53b9108
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:367'616 bytes
First seen:2021-06-10 19:17:56 UTC
Last seen:2021-06-10 19:36:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:vNLee8O0/j2dbtMq09oPpBH6lge2EYc+6KKFodcrud6S06m0tYhH9/RlGu2M:lijfj21tJ09ypBYYc+X8YIYJRm0a9plg
Threatray 15 similar samples on MalwareBazaar
TLSH 8874128BA38042B5D3791BB48C67C5B90D34FE7AD942B72B52D8BD9F39383586816334
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-22 00:50:37 UTC
Tags:
loader
Link:
https://app.any.run/tasks/11c6c18e-36ed-464d-8bfb-b9797d19dceb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165957/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36960475.7106.6967.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800474
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious names
Creates files in alternative data streams (ADS)
Creates HTML files with .exe extension (expired dropper behavior)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432870 Sample: wa71myDkbQ Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 77 Multi AV Scanner detection for submitted file 2->77 79 .NET source code contains potential unpacker 2->79 81 Machine Learning detection for sample 2->81 83 Sigma detected: WScript or CScript Dropper 2->83 9 wa71myDkbQ.exe 3 8 2->9         started        13 AIKY.exe 2->13         started        15 AIKY.exe 2->15         started        18 3 other processes 2->18 process3 dnsIp4 59 C:\Users\user\AppData\...\wa71myDkbQ.exe, PE32 9->59 dropped 61 C:\Users\user\...\Izhwsiraoosvchost.exe, PE32 9->61 dropped 63 C:\Users\...\wa71myDkbQ.exe:Zone.Identifier, ASCII 9->63 dropped 65 2 other malicious files 9->65 dropped 93 Writes to foreign memory regions 9->93 95 Allocates memory in foreign processes 9->95 97 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 9->97 99 Injects a PE file into a foreign processes 9->99 20 wscript.exe 1 9->20         started        22 wa71myDkbQ.exe 1 18 9->22         started        101 Antivirus detection for dropped file 13->101 103 Multi AV Scanner detection for dropped file 13->103 105 Machine Learning detection for dropped file 13->105 107 Tries to delay execution (extensive OutputDebugStringW loop) 13->107 73 botboyz.online 15->73 26 WerFault.exe 15->26         started        file5 signatures6 process7 dnsIp8 28 Izhwsiraoosvchost.exe 2 5 20->28         started        69 cdn-101.anonfiles.com 217.64.149.169, 443, 49727 OBE-EUROPEObenetworkEuropeSE Sweden 22->69 71 anonfiles.com 104.21.10.26, 443, 49728 CLOUDFLARENETUS United States 22->71 85 Multi AV Scanner detection for dropped file 22->85 87 Creates HTML files with .exe extension (expired dropper behavior) 22->87 89 Machine Learning detection for dropped file 22->89 91 Contains functionality to inject code into remote processes 22->91 signatures9 process10 file11 67 C:\ProgramData\...\AIKY.exe, PE32 28->67 dropped 109 Antivirus detection for dropped file 28->109 111 Multi AV Scanner detection for dropped file 28->111 113 Creates files in alternative data streams (ADS) 28->113 115 3 other signatures 28->115 32 cmd.exe 1 28->32         started        35 cmd.exe 1 28->35         started        37 cmd.exe 1 28->37         started        39 4 other processes 28->39 signatures12 process13 signatures14 75 Uses schtasks.exe or at.exe to add and modify task schedules 32->75 41 conhost.exe 32->41         started        43 schtasks.exe 1 32->43         started        45 conhost.exe 35->45         started        47 icacls.exe 1 35->47         started        49 conhost.exe 37->49         started        51 icacls.exe 1 37->51         started        53 conhost.exe 39->53         started        55 icacls.exe 39->55         started        57 4 other processes 39->57 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 22:23:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
31 of 46 (67.39%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0c32d3b8dc349aac990a76c405f39b973ed2664847602f4100200ae12ccabd6d
RedLineStealer
23d67bc537f5cfd46de2cba9580f80cdfb06e85a57ad74d3da20ed1196528d1c
RedLineStealer
52f5e7a9a44771795325822713ff8c37f4efa674bbbb375523c3982ab79a52dd
RedLineStealer
55eec417f10cfdb7d6442a5ed87fa2cc9ae0fd4810672eaf95a223b4ad0ba894
RedLineStealer
8b3f0e932a336d8651b421b8437389bb7ca6242debbd22add47afbcb913b102c
RedLineStealer
b028c3971be8dfe3152c5718dd75bd0b81d8fbd39f15725d35d53a47d4449a1c
RedLineStealer
c115174d5a3406d4fcb05170c50293df6f3e1bd14619db5b2be777e16c0f8c5d
RedLineStealer
c95785635556400cb71d20445d949c9bc50e5b8681ff7a71648bf23ae5441cf1
RedLineStealer
d770f6d11423374f1dc04e3d4a45f17f3248aad3a2a4ea93030f32291936e4e8
RedLineStealer
de5c46975f4bd7759bf711ea3ecc5833c0eadac92b466806e3a2cdcb57b7da19
RedLineStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/210610-7rr1463t4j/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Unpacked files
SH256 hash:
0e7aea838bc2bccd24f316d362bdd2495184ac60c68e76a7ed294b4b8ba00182
MD5 hash:
eea980187ea08e02e70765195bb1e473
SHA1 hash:
ece5fef28061b55239cc4206db7b9b1295fe104d
Link:
https://www.unpac.me/results/9c6c6e24-374f-4de0-8103-9d5b1ee9e161/
SH256 hash:
a345a8565a40e43efd1f69838b97a7768d3817b0364dd0801da329d28f948577
MD5 hash:
08dde66c5ff798834c40d6d68f7e1c83
SHA1 hash:
887dc3515dbcf06aac252b2b8fb0a47155802985
Link:
https://www.unpac.me/results/9c6c6e24-374f-4de0-8103-9d5b1ee9e161/
SH256 hash:
b6a119e35978d902ceb2256f44f71736f59c1b922702f37fe652a8606df3d423
MD5 hash:
d55eec2a0ea555d0ec32b5c621daa826
SHA1 hash:
64560133352fec959d8bcc8d488c4712af3bb3ea
Link:
https://www.unpac.me/results/9c6c6e24-374f-4de0-8103-9d5b1ee9e161/
SH256 hash:
b90a97c7f3ca6dd43b2b89c28a2b007bc66f69462f8ac42af7f1a0910e9808b4
MD5 hash:
5e66de2781aaad65070e5fc7560d80af
SHA1 hash:
3b9e3df22ce05d046d2f30fbe71f22471fa10ca9
Link:
https://www.unpac.me/results/9c6c6e24-374f-4de0-8103-9d5b1ee9e161/
SH256 hash:
04df4252795f133481c566566657878a03c9984423892d5ee78f9b7ca8987fb0
MD5 hash:
0c241ff92dcfb76cca18ebc0daba6099
SHA1 hash:
02e10df17b827fb5a0779a692634109390aafd7c
Link:
https://www.unpac.me/results/9c6c6e24-374f-4de0-8103-9d5b1ee9e161/
SH256 hash:
5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc
MD5 hash:
c4050e6bdd335e319ca7b848d53b9108
SHA1 hash:
5fe92c2d7dc68a5ffe2f40270bb994d8ea4e62ef
Link:
https://www.unpac.me/results/9c6c6e24-374f-4de0-8103-9d5b1ee9e161/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1350843/
Cape
Cape
https://www.capesandbox.com/analysis/165957/

Comments