MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 664e53effcfd8f85fd0ebb2e37d285308efdf4f30c424e8e9841ec48614c2623. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 664e53effcfd8f85fd0ebb2e37d285308efdf4f30c424e8e9841ec48614c2623
SHA3-384 hash: b50ffa470ce04bcedfc0eba800dd8b4fc4a2b1bd06c722cedabbf8f62ef6fa75a79c829af7661a42e0d6a2260516e5a9
SHA1 hash: 4944239e92e31acdf4ed16c04ad427d5cd2a1d86
MD5 hash: 900e57970906aaeaa5d53979fd3b6f41
humanhash: november-early-wyoming-golf
File name:900e57970906aaeaa5d53979fd3b6f41
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:146'944 bytes
First seen:2021-08-13 17:25:54 UTC
Last seen:2021-08-13 17:58:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:AlpjLF6sGIo00SBNy53c7ji41qnAZhQ7/ZJ5aLtM6UvbqssCFZ/P3wX9fwl91sfw:AlbGIo/27u41qnAZ27/ZJ8G/m49To/j
Threatray 135 similar samples on MalwareBazaar
TLSH T127E32808532A8AE3C7DC457ED8F0EA04D3B0F08A66ADF70B78C485E1290679F8D526D7
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
900e57970906aaeaa5d53979fd3b6f41
Verdict:
Malicious activity
Analysis date:
2021-08-13 17:26:51 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/d6a4d3df-b82f-42e6-a5d6-c29690dbc827

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179060/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30892.25227.8836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Stealing user critical data
Connection attempt to an infection source
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04b18144-be37-4e62-8a5e-3ec855931f61
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/832604
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/664e53effcfd8f85fd0ebb2e37d285308efdf4f30c424e8e9841ec48614c2623/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 15:58:11 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1d9792547b612f5521083edcdf440a8e6dece47d056e69bed5b08575c57c44ff
RedLineStealer
49109a49df93b6624b2ddbc0f64038ae42b16fee070844d19c1a5c27d4b7764d
RedLineStealer
67d57c4bb2d2048a9e3e41dae08b403d5b046fe85dc24a73fafde4d28ed38600
RedLineStealer
76ff41be8f7f15dbb035fb27ad00cbd313d0d75745945b81642f10986fc83ffb
RedLineStealer
8759d45e142c15d4e4cc63fc147114ef52bb57623710552c4ba76f43face2524
RedLineStealer
88c93fb2359cc5f0da6886983c67d923955d210daf5a458e382d024124a67458
RedLineStealer
9465d1ee02521fdd0d1be313df401af7734a858c164e4eae77d6c85398e339eb
RedLineStealer
9f549d7c1524df9f8b0dd28d440a0c55bb3ef49c1c9114b43e67545ca727e9d9
RedLineStealer
e0aca3b1e2806672143d256e87812294fe04f1ea95625979e3b9d64b951449db
RedLineStealer
+ 125 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210813-vfgajh2exn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
664e53effcfd8f85fd0ebb2e37d285308efdf4f30c424e8e9841ec48614c2623
MD5 hash:
900e57970906aaeaa5d53979fd3b6f41
SHA1 hash:
4944239e92e31acdf4ed16c04ad427d5cd2a1d86
Link:
https://www.unpac.me/results/2471a7c0-d243-4ca3-9023-ea184ca67e25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/664e53effcfd8f85fd0ebb2e37d285308efdf4f30c424e8e9841ec48614c2623

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 664e53effcfd8f85fd0ebb2e37d285308efdf4f30c424e8e9841ec48614c2623

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1531284/
Cape
Cape
https://www.capesandbox.com/analysis/179060/

Comments


Avatar
zbet commented on 2021-08-13 17:25:55 UTC

url : hxxp://193.142.59.221/blog/images/123.exe