MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 693e3bf8be7f27a874149f559287d4153502f56d3e09a7303cbd719aa12d3693. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 693e3bf8be7f27a874149f559287d4153502f56d3e09a7303cbd719aa12d3693
SHA3-384 hash: f97ac74b9c3fd3be699fcd6d363badfa633f5dd4668da33d7e46fdc0dbd64e75c2d60b2fad47837241e68eb91b562a19
SHA1 hash: bd17c58eb06c899e8a763242630972909c52a566
MD5 hash: e8c64d9faef5d67bcb4835109bca640c
humanhash: ten-low-avocado-fifteen
File name:693e3bf8be7f27a874149f559287d4153502f56d3e09a7303cbd719aa12d3693
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:175'128 bytes
First seen:2021-09-13 11:18:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:24DZDpvF/uvvYfv0wA48aWIAGgLbkWId2aGsN/c:2YZj/uYrA48adAGgLAWId2dV
Threatray 157 similar samples on MalwareBazaar
TLSH T191048D6355645462C9482734E4B1CF3B37799E242540F25AB4CAFEB7BE3A3CE09B0267
dhash icon 007960733684d440 (2 x RedLineStealer)
Reporter JAMESWT_WT
Tags:ElysiumStealer exe RedLineStealer signed Solar LLC

Code Signing Certificate

Organisation:Solar LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-12-17T00:00:00Z
Valid to:2021-12-17T23:59:59Z
Serial number: 6aaa62208a3a78bfac1443007d031e61
Intelligence: 13 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: e0b4e0146cef64385a2635611ccc0d7b3c7f8a126dfedf7f491d677b4a896d65
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.cracka2zsoft.com/idm-crack-patch-download/
Verdict:
Malicious activity
Analysis date:
2021-09-11 02:40:02 UTC
Tags:
trojan evasion rat redline stealer vidar loader unwanted netsupport kelihos lively idownload nmakck
Link:
https://app.any.run/tasks/e15df0e1-a16c-4ef7-9ed2-3b29d3c5169e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187430/
Detection(s):
Win.Packed.Bulz-9892765-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/617500a09a5a1e91c5d1fb45/reports/7cc11487-20ce-4c2b-8b2c-08c1237b341e/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46571ddd-c432-4e49-a6d2-568647ed467a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/849724
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/693e3bf8be7f27a874149f559287d4153502f56d3e09a7303cbd719aa12d3693/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 02:39:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 44 (43.18%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
RedLineStealer
649196028a2da14a49c0e7ac613ddb03e5cc6ab289081ee32d08b192d562859a
RedLineStealer
847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa
RedLineStealer
84b5f43282cdb9d3947e0be64ff3bec298c98b1c35e369a02bf0607a0d7b0de2
RedLineStealer
bf6cc7eea43409deca0f85b678181c98c6cb955b73915efb9975b37286a7905f
RedLineStealer
cd84c2fe9c5f3783d3a6ebdea43e14774975f092ef5242a857b9a4a28e14878a
RedLineStealer
f5aae19b73a4833e19ccff1b95dafa7b0c31a1def9bbaa5480593af68b2f4c85
RedLineStealer
f6aa394f7b0a0f629da6831a1134e4a6cbf21c70dce7f4133319d638d4b58023
RedLineStealer
fa377574c99698cd65d8897d93e96c287dff271d4838107aeac36e7a843c1053
RedLineStealer
fc89316ccd912e374995269d989e0649492e77ed774e5556118289e152479a30
RedLineStealer
+ 147 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210913-net25sded7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f556270f0d3bf9ad0520e1f9556719e3cd19d12771d9a58ca28c1437e09d3c95
MD5 hash:
eb0f0b552705e846ef7d7342bb33c2fe
SHA1 hash:
91ed2191dbb0f385a9129e65b732cd39a85f40af
Link:
https://www.unpac.me/results/20eb518f-3101-46fb-81e0-c62dee23a4a2/
SH256 hash:
693e3bf8be7f27a874149f559287d4153502f56d3e09a7303cbd719aa12d3693
MD5 hash:
e8c64d9faef5d67bcb4835109bca640c
SHA1 hash:
bd17c58eb06c899e8a763242630972909c52a566
Link:
https://www.unpac.me/results/20eb518f-3101-46fb-81e0-c62dee23a4a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/693e3bf8be7f27a874149f559287d4153502f56d3e09a7303cbd719aa12d3693

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187430/

Comments