MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841
SHA3-384 hash: 7f85d30781da3e8f7c9954c6d39390e9c3dca672bbed0440a0902864e941ea26ca6a15087ca6150082697fc96c54e89c
SHA1 hash: 0fc902de724eb0aad71a5bbb2af130cbc37561a5
MD5 hash: 8ed112ce2144dd4be905d02337114cb9
humanhash: pasta-oklahoma-idaho-dakota
File name:37841162.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:157'696 bytes
First seen:2022-03-20 05:30:42 UTC
Last seen:2022-03-20 07:38:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:aahKyd2n3175GWp1icKAArDZz4N9GhbkrNEk1ST:aahOLp0yN90QEZ
Threatray 1'447 similar samples on MalwareBazaar
TLSH T1D0F38D0A63E420A6E4BA577498F302935A32BCB15B7986FF12D4D57E0E336D0A532F17
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:64 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253062/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop13.46018.10531.26928.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Sending a custom TCP request
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9890/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll control.exe explorer.exe rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6236bc19b94fb38cb4b54e24/reports/c5ee9988-5920-42ff-97a4-fbfc50c44368/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0e25d2a-6103-4aa3-abb5-069a3111568b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/960222
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592703 Sample: 37841162.exe Startdate: 20/03/2022 Architecture: WINDOWS Score: 68 20 Multi AV Scanner detection for domain / URL 2->20 22 Antivirus detection for URL or domain 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->26 7 37841162.exe 1 3 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        process5 13 curl.exe 1 11->13         started        16 conhost.exe 11->16         started        dnsIp6 18 179.43.187.108, 80 PLI-ASCH Panama 13->18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-20 03:03:00 UTC
File Type:
PE+ (Exe)
Extracted files:
36
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10410282005ce9bf693f5eb5483b061d09616128e5771da92bc799ff75a0bd2b
RedLineStealer
19a9a634a261e2f413f3692ef9ea07b5caeb3a8ef5758a83778be2eeccd7021e
RedLineStealer
2560cc6fef94164b1e60d22763fc15dfb84314b6b5f7f581b1ea3a09af2e3021
RedLineStealer
436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497
RedLineStealer
4d041237f6dbd08e6d88a1a526fa2dc3f1e4ce19348200105a0fa749195bce36
RedLineStealer
668c5486d1680bd9bb7f687ff7573b53d22d594937083fd8e752062f7f9fd6e7
RedLineStealer
8ccaed7c504359bba64e038edf5284fc059e34c7f57793b223b92704efe4d028
RedLineStealer
8d28f3c7f370b5d1bf1868e5de0e16d380ca93d583ca74c45fae83ba24f9c8aa
RedLineStealer
9c07c93f9a190f10c080d8077dd34db1deb715a4e928509767c9b80a36ce8753
RedLineStealer
+ 1'437 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/220320-f7qanahfa6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841
MD5 hash:
8ed112ce2144dd4be905d02337114cb9
SHA1 hash:
0fc902de724eb0aad71a5bbb2af130cbc37561a5
Link:
https://www.unpac.me/results/d16ea7e9-4288-4b99-b6dd-0c11c47150c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072548/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2072555/
  
URLhaus
https://urlhaus.abuse.ch/url/2072615/
  
URLhaus
https://urlhaus.abuse.ch/url/2072814/
  
URLhaus
https://urlhaus.abuse.ch/url/2073104/
  
URLhaus
https://urlhaus.abuse.ch/url/2073136/
  
URLhaus
https://urlhaus.abuse.ch/url/2073341/
  
URLhaus
https://urlhaus.abuse.ch/url/2073290/
Cape
Cape
https://www.capesandbox.com/analysis/253062/

Comments