MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bbbe63faf9184516d51c5855240541037a3c5e8b3365e1cc7890e19fd3651c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bbbe63faf9184516d51c5855240541037a3c5e8b3365e1cc7890e19fd3651c7
SHA3-384 hash: 72f962a962878dcce01571aeaf2bfc1e2c3dbda94b13c3fc6d3231e1d9f2d337ad39f3a10e87fc232e46dafdf930543b
SHA1 hash: 70904808fd08b61ac18af229fcf4e1a485e2c885
MD5 hash: ac61f35e43f5ecdf660477ac30a900a0
humanhash: twelve-colorado-low-alpha
File name:ac61f35e43f5ecdf660477ac30a900a0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:13'312 bytes
First seen:2021-06-18 16:03:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:O2i4ULC+Sd73W3Tt5KmbZSouRGkoptYcFSVc03K:hULC+Sd73W3x5Rbhrk8tYcFSVc6K
Threatray 545 similar samples on MalwareBazaar
TLSH AF528542B7E80225F1F79B797ABA1209CE37BE1F9952CD5D344C510D6F32A4089A3B72
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ac61f35e43f5ecdf660477ac30a900a0
Verdict:
No threats detected
Analysis date:
2021-06-18 16:06:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb61ccbb-203b-4c18-8aaa-ade6163e6c51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166877/
Detection(s):
Win.Malware.Ursu-9794593-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbf88fdd-f9ca-4000-bcb2-83348463e490
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/804444
Signature
Antivirus detection for URL or domain
Disables Windows Defender (via service or powershell)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 436855 Sample: HkwM7N5Wo5 Startdate: 18/06/2021 Architecture: WINDOWS Score: 96 49 checkip.dyndns.org 2->49 51 ipinfo.io 2->51 53 checkip.dyndns.com 2->53 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 3 other signatures 2->69 8 HkwM7N5Wo5.exe 17 5 2->8         started        signatures3 process4 dnsIp5 61 178.47.141.153, 49732, 80 ROSTELECOM-ASRU Russian Federation 8->61 39 C:\Users\user\AppData\Local\Temp\sbvc.exe, PE32 8->39 dropped 77 Disables Windows Defender (via service or powershell) 8->77 13 sbvc.exe 8->13         started        17 powershell.exe 23 8->17         started        19 powershell.exe 5 8->19         started        21 12 other processes 8->21 file6 signatures7 process8 file9 41 C:\Users\user\AppData\Local\...\Svc_host.exe, PE32 13->41 dropped 43 C:\Users\user\AppData\...\Svc_host.exe.config, XML 13->43 dropped 45 C:\Users\user\AppData\...\SQLite.Interop.dll, PE32 13->45 dropped 47 9 other files (none is malicious) 13->47 dropped 79 Machine Learning detection for dropped file 13->79 23 Svc_host.exe 13->23         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 conhost.exe 21->35         started        37 9 other processes 21->37 signatures10 process11 dnsIp12 55 checkip.dyndns.org 23->55 57 ipinfo.io 34.117.59.81, 49738, 49747, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->57 59 checkip.dyndns.com 216.146.43.71, 49737, 49746, 80 DYNDNSUS United States 23->59 71 Multi AV Scanner detection for dropped file 23->71 73 May check the online IP address of the machine 23->73 75 Machine Learning detection for dropped file 23->75 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bbbe63faf9184516d51c5855240541037a3c5e8b3365e1cc7890e19fd3651c7/
Threat name:
ByteCode-MSIL.Trojan.AntiWD
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 16:04:10 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
048066b8f8dcf8a74e78e458a727edf50094a5849dbaae9cc80df053deae7c47
RedLineStealer
40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8
RedLineStealer
504229eb947e4ae07f6cb408da3dde9ae2ae2996b4df208ab9d06558f39d2cf5
RedLineStealer
630d32b6440a2825ba58cd1c0f3ce1f8b431b42722227ba075ad907384dd23fc
RedLineStealer
6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
RedLineStealer
7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4
RedLineStealer
8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
RedLineStealer
91b886840c7f674d17b48e5d2264228a55fe0f28e32e102c84dad5cca49ed807
RedLineStealer
9c2be0c1c80a7f7c5de355be5d52ea7f1b023ca29fcf33a753c41c13bbdb8ef9
RedLineStealer
a408e65fa77a4eded318a05af68fe27f522ec61b0c3e30aa34a5703b06fe2cf8
RedLineStealer
+ 535 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer trojan
Link:
https://tria.ge/reports/210618-2bzlqb9wax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
6bbbe63faf9184516d51c5855240541037a3c5e8b3365e1cc7890e19fd3651c7
MD5 hash:
ac61f35e43f5ecdf660477ac30a900a0
SHA1 hash:
70904808fd08b61ac18af229fcf4e1a485e2c885
Link:
https://www.unpac.me/results/278a0cc3-e331-4931-b68a-fa3b76e7f54d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bbbe63faf9184516d51c5855240541037a3c5e8b3365e1cc7890e19fd3651c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6bbbe63faf9184516d51c5855240541037a3c5e8b3365e1cc7890e19fd3651c7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1376726/
Cape
Cape
https://www.capesandbox.com/analysis/166877/

Comments