MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67d57c4bb2d2048a9e3e41dae08b403d5b046fe85dc24a73fafde4d28ed38600. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67d57c4bb2d2048a9e3e41dae08b403d5b046fe85dc24a73fafde4d28ed38600
SHA3-384 hash: 7e98192733998d762c0839cc0c30429db1ee4905fa9778a8aedb50169680e0c949dc4276b1fe260726b36e2f5fcf23b2
SHA1 hash: aa74cc4eeff058a72551f2ed66a4313306bd4239
MD5 hash: 1d46827289d9ae8b53f8f7ae54f89000
humanhash: johnny-crazy-low-vegan
File name:1d46827289d9ae8b53f8f7ae54f89000
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'734'080 bytes
First seen:2021-08-03 13:31:25 UTC
Last seen:2021-08-03 16:53:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:c4nY0Be3tvk3BbDbjbZfVHbxaa2QUJ4KjLSBWk9qy5DQyTq:cWe3tm5bjBhVaa25lGNoyxQyT
Threatray 66 similar samples on MalwareBazaar
TLSH T1DFC52378478D5FA2E3EA463EC1629F11DB6CEA16878FD34F208844A43C447E9E627D47
dhash icon 1f3b5353b7f3db19 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176065/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46675699.24310.31644.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
DNS request
Sending a UDP request
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Changing a file
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d4a0889-da44-49c0-9dac-ba291a5bb08a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/826203
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Csc.exe Source File Folder
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67d57c4bb2d2048a9e3e41dae08b403d5b046fe85dc24a73fafde4d28ed38600/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 19:52:00 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0d852bfcbc49afecc18e426f7d694597966256d55c225a4ae798a7e98200b5ca
RedLineStealer
2da08e5a86ad90f6727c65f81a523de70a45a8a04c35c50021378ab2e4f46e5a
RedLineStealer
4bd12f48c0a5a1dd9a4c0dd17460f2941f3a1b2b11b95961b4092f07622eb5c3
RedLineStealer
76ff41be8f7f15dbb035fb27ad00cbd313d0d75745945b81642f10986fc83ffb
RedLineStealer
8508dd939f37a821ad3d0060c1e472f258bb7d4064e1a602661bb3971f20251f
RedLineStealer
8759d45e142c15d4e4cc63fc147114ef52bb57623710552c4ba76f43face2524
RedLineStealer
88c93fb2359cc5f0da6886983c67d923955d210daf5a458e382d024124a67458
RedLineStealer
9f549d7c1524df9f8b0dd28d440a0c55bb3ef49c1c9114b43e67545ca727e9d9
RedLineStealer
b97bd972288c26f8eb5b51e18bbae753ddae9a8cd2720fa45a975e764a25efaa
RedLineStealer
cffb56dddf9b596328082781400f1b5a1d7a995719c78dbdcbe41b026c86010b
RedLineStealer
+ 56 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210803-wyc2xjxxd6/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Downloads MZ/PE file
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
05fddaade3d496582734008ce9602dcb3d1695cf49d405346ceae7c98094f542
MD5 hash:
9d490503c489fcd8a1fab26847f66e93
SHA1 hash:
b7cf75c3e25dea709708c11495b8d76d322f41df
Link:
https://www.unpac.me/results/9c159162-6fc1-4d91-aa1d-65f3b15d1f71/
SH256 hash:
819473ec13f2b0c4c911124defc68969d5feb7e27558cfcf1c30330b0970479d
MD5 hash:
75d21da8b9d45d507c8922f27b2d912c
SHA1 hash:
21ce9c44eabe1a38cb4f17c288fc3fd900e012db
Link:
https://www.unpac.me/results/9c159162-6fc1-4d91-aa1d-65f3b15d1f71/
SH256 hash:
67d57c4bb2d2048a9e3e41dae08b403d5b046fe85dc24a73fafde4d28ed38600
MD5 hash:
1d46827289d9ae8b53f8f7ae54f89000
SHA1 hash:
aa74cc4eeff058a72551f2ed66a4313306bd4239
Link:
https://www.unpac.me/results/9c159162-6fc1-4d91-aa1d-65f3b15d1f71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67d57c4bb2d2048a9e3e41dae08b403d5b046fe85dc24a73fafde4d28ed38600

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 67d57c4bb2d2048a9e3e41dae08b403d5b046fe85dc24a73fafde4d28ed38600

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1502517/
Cape
Cape
https://www.capesandbox.com/analysis/176065/

Comments


Avatar
zbet commented on 2021-08-03 13:31:26 UTC

url : hxxp://volamnoibo.com/update/checkupdate/Autoupdate.exe