MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65c593c69da3990b12ad4ca7476c820243bb865c2eecb63cdc70d7ac19afe360. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65c593c69da3990b12ad4ca7476c820243bb865c2eecb63cdc70d7ac19afe360
SHA3-384 hash: 5b1322a059e766db2d4ae9d72a461f9b0ec96857a47e6a25e958f453e260724ed2fa0ad1e7b9a424d6ab1afbbd26ef8f
SHA1 hash: 1cfb2f1d7343c386e53989a1fdd78eac56099fcd
MD5 hash: 3ad8fcbd4c1f1d525207679eb23f3e3c
humanhash: happy-zulu-jig-twelve
File name:3ad8fcbd4c1f1d525207679eb23f3e3c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'306'624 bytes
First seen:2021-06-22 14:41:33 UTC
Last seen:2021-06-22 21:04:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 24576:ejIvRxBP/BZNW/uHImAZHfzEmsr4oEtzU+WpppO:e8BPp7H+Q4RX
Threatray 4'795 similar samples on MalwareBazaar
TLSH EC558E1CA49F9953D3BBFB788AF1B980E73CE3A17D3BD127053305AAD928D891597480
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3ad8fcbd4c1f1d525207679eb23f3e3c.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-22 15:17:05 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/f403243a-ee3c-4797-ba30-616c766d6005

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167621/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f0785e3-456e-4c3a-8e87-fafe36331700
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/806076
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65c593c69da3990b12ad4ca7476c820243bb865c2eecb63cdc70d7ac19afe360/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 12:49:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0db3bd35b25826c66d2ebc8f3d009b44dcffbf66e7998b19be0cf4c0d8fec258
RedLineStealer
1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366
RedLineStealer
29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02
RedLineStealer
4068367bc59ad89c43c9024b63d4057942626c13d4cb4233ba14218a5f1d2ee8
RedLineStealer
43c7a6a2753a823e9588d72776b4a660d33b8890414fff82d6741132346d8abb
RedLineStealer
49b1f7e34f74b3ea4b97852292dfd6e856a58f74a181f5a3aadd6356503ae617
RedLineStealer
53174a644680154786d09b66cc8c4a1aa83c625bd10137600bf191573fa5c602
RedLineStealer
5c32fd3de4bce60a2529cebc5f47b8a1562ea9bd22549f829b22b0533b32f79b
RedLineStealer
8cf4d9a55d80942fbdf18648f7fa01768efc4783b439503d39d9ef98a85fb193
RedLineStealer
a6c456dcee9a9c53aeb0360bdb52a682137745ad9ec607fce1199e24cd348ee5
RedLineStealer
+ 4'785 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210622-54vp8f19be/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
6cca0d943d08bf111dcc281122311987d569ab6726bbd9a02cd5472429ee9a43
MD5 hash:
ba10dcd5228d0cb4b96cf5fa4cdc7fa0
SHA1 hash:
f23ea4051bfef2ab3337aa83365d8ded9d52bddb
Link:
https://www.unpac.me/results/c6f3d3d0-a50b-4524-ae37-f6285c7c4257/
SH256 hash:
2ff0a1777bd20120105c0e9419c286747fc20258a7124534740c374509b52c2d
MD5 hash:
19ef5be49d9d6b5889a2e98a8065b49a
SHA1 hash:
69255d14ddaa6395369fc45b0461bbda0d2ae52e
Link:
https://www.unpac.me/results/c6f3d3d0-a50b-4524-ae37-f6285c7c4257/
SH256 hash:
357a1ab96f5556dda94062de9d9dca66c60088a55b53e322ab84faadd5d8ed2e
MD5 hash:
a1329dab78d5bac41e39034d840c30f1
SHA1 hash:
064620fb5693a33417450521fa2ec92ab2d10380
Link:
https://www.unpac.me/results/c6f3d3d0-a50b-4524-ae37-f6285c7c4257/
SH256 hash:
65c593c69da3990b12ad4ca7476c820243bb865c2eecb63cdc70d7ac19afe360
MD5 hash:
3ad8fcbd4c1f1d525207679eb23f3e3c
SHA1 hash:
1cfb2f1d7343c386e53989a1fdd78eac56099fcd
Link:
https://www.unpac.me/results/c6f3d3d0-a50b-4524-ae37-f6285c7c4257/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/65c593c69da3990b12ad4ca7476c820243bb865c2eecb63cdc70d7ac19afe360

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 65c593c69da3990b12ad4ca7476c820243bb865c2eecb63cdc70d7ac19afe360

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1369406/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167621/

Comments