MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fc28b6277bc34e758ec1d047cccdb13b7d5358e0ae4d34249f7b017312ee307. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fc28b6277bc34e758ec1d047cccdb13b7d5358e0ae4d34249f7b017312ee307
SHA3-384 hash: 4d514d06180028d4fde7e94d42b8d9192e0fa64994eadfac58b7ed5a2dbd75b60037f5c1f920484ea7bc20edb3542c63
SHA1 hash: e6d5033925172117cb58da906effaf725436d732
MD5 hash: 9cbeaec69e8a689be6f44233e904f974
humanhash: juliet-stream-oranges-twelve
File name:9cbeaec69e8a689be6f44233e904f974
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'898'944 bytes
First seen:2021-12-05 08:15:50 UTC
Last seen:2021-12-05 10:28:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:P8z1kjhUsiuhJPrmU8CcpkVRISM4RaVIRXe:P8z1yUUpVRIZRse
Threatray 1'377 similar samples on MalwareBazaar
TLSH T100D513B86087B377B5A0E79493F3A1BEEBC745626E2B6028D45D057192C2725FF2C20D
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9cbeaec69e8a689be6f44233e904f974
Verdict:
Malicious activity
Analysis date:
2021-12-05 08:19:03 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/13259b07-49ca-4f9d-bb91-1d9e81b190a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211441/
Detection(s):
SecuriteInfo.com.Variant.Lazy.72333.10240.13923.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Creating a file
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61ac7546fa72c81b5b0c5d22/reports/03fc2484-9e5b-4c78-a693-4d49a8e109a7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3c345d5-41ee-4f74-88c4-4715172583c8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/901645
Signature
.NET source code contains very large array initializations
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fc28b6277bc34e758ec1d047cccdb13b7d5358e0ae4d34249f7b017312ee307/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-05 08:16:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0827673ccd2ea519b7dc5992a11beae4a429b2588be92e94e20e16ad132e086c
RedLineStealer
1f4ccad233d733ecf2c0374593f95ea0bd521a17e82206b17fd74948faca974c
RedLineStealer
21766e51afd193a59b8b32f38d7f852022ee58348537be2fa7620773df237f77
RedLineStealer
5d5a4e577c7e58c88e50a4c6553943a861ed52728255a3f549ab02d673853a70
RedLineStealer
60c65307f80b12d2a8d8820756e900214ad19a1fcfcda18cdbee3a25974235ac
RedLineStealer
750adca8e434c3d8cd88be58d28d842b862f6be645ab4b86fef5b6268da9d187
RedLineStealer
9e8bbc3cd87e16335a700fee228e9fa3ed6f67209b0297f5997c50097b7f8386
RedLineStealer
cebf4c9af84506f3b683d5d4867b739244b6ba595772d583b3455781c4d91b74
RedLineStealer
d0f5e14e8b6be5032261a2bd5b2941b90a51a0be18ec2ef35ad5b03994c3a8ca
RedLineStealer
fb22d463b5a19f625c6c966b860e6cf91d79d23077b137c01d698bfc9f9eecbf
RedLineStealer
+ 1'367 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/211205-j55t4sehh7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Nirsoft
Unpacked files
SH256 hash:
48ecfd26dd9ec6c37cd68762bc10f8e1c002b901cf1521795ed37f244f3dd515
MD5 hash:
7995579bb50f781ca8b8d4723dbf2e54
SHA1 hash:
5f2c86371c8d7ed4cfbab66e8470b8c20be0cac4
Link:
https://www.unpac.me/results/9a8c70c3-f355-4458-b666-f5197201a1bf/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/9a8c70c3-f355-4458-b666-f5197201a1bf/
SH256 hash:
5fc28b6277bc34e758ec1d047cccdb13b7d5358e0ae4d34249f7b017312ee307
MD5 hash:
9cbeaec69e8a689be6f44233e904f974
SHA1 hash:
e6d5033925172117cb58da906effaf725436d732
Link:
https://www.unpac.me/results/9a8c70c3-f355-4458-b666-f5197201a1bf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5fc28b6277bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/5fc28b6277bc34e758ec1d047cccdb13b7d5358e0ae4d34249f7b017312ee307

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5fc28b6277bc34e758ec1d047cccdb13b7d5358e0ae4d34249f7b017312ee307

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1853603/
Cape
Cape
https://www.capesandbox.com/analysis/211441/

Comments


Avatar
zbet commented on 2021-12-05 08:15:52 UTC

url : hxxp://95.217.43.206/~globaltiam/js/224.exe