MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d27f2de1e4f2126e11f0031826c02e815d5462d7789b642f59603c5ec5d616f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d27f2de1e4f2126e11f0031826c02e815d5462d7789b642f59603c5ec5d616f
SHA3-384 hash: 5309458d32594ebcfc583f6becb4c9bd06ce098eb44adc883a4aae00a3a66207bf1979ae5b1188aafb3ec4734c5c63cb
SHA1 hash: 3c8bb918ca5dd9ba37dec92512b0a09a16257c37
MD5 hash: fd049d2d63a5c8a04a1955f9d3b4acd0
humanhash: december-snake-october-bravo
File name:3278_pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:28'040 bytes
First seen:2021-07-19 05:53:07 UTC
Last seen:2021-07-27 13:42:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:MagWheOtqaQ0yjBh5OJbGkGflk2ZN/CUhh+c:JtqaQFt2WZNJ/
Threatray 7 similar samples on MalwareBazaar
TLSH T1EFC239E96B9844F6C96CF532F1A24001AB33A2B7A511CD1FA1CD61474D13B52ABC47AF
Reporter cocaman
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:3ehzjOXjic6vJeU9949m8z4268e8464d4tbh8b52o575aeya
Issuer:3ehzjOXjic6vJeU9949m8z4268e8464d4tbh8b52o575aeya
Algorithm:sha256WithRSAEncryption
Valid from:2021-07-18T21:16:46Z
Valid to:2022-07-18T21:16:46Z
Serial number: a068e60097512871ab63934041cb2e28
Thumbprint Algorithm:SHA256
Thumbprint: 0e56836ad2069f5e11a98bca0646cee4f9d7ab61d98ad98f4ed7ccfdf949cb05
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3278_pdf.exe
Verdict:
No threats detected
Analysis date:
2021-07-19 05:56:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/072dd05f-67fa-4bb0-a4e8-b293c787bf3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172467/
Detection(s):
SecuriteInfo.com.ArtemisFD049D2D63A5.27937.14366.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5daa72be-ed66-4df7-9602-2cfb6d6b3793
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/818049
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Uses Windows timers to delay execution
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d27f2de1e4f2126e11f0031826c02e815d5462d7789b642f59603c5ec5d616f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nut7fxq6j4qsnyi7aayye3ac5ak5krrno6e3mqxvsyb4l3c5mfxq._file
Verdict:
unknown
Similar samples:
0b3279dcdbdc13a5025cec008353d4c7be4eb0d7722cd6d5767ee077ffb443e3
RedLineStealer
56727d66fb4eb4f8ced3a4628e9bce8fbea684aa5ed0ab0441dbc3dd29c74f00
RedLineStealer
802c56b6f190b1e7bb65ab1b6c82cfaa62724fe1cb4fa0c0c4acd1061064f952
RedLineStealer
ab474533900efe36d0a2e49ef696d645d2d93434b72cfaae7c6f7154a7d8abbe
RedLineStealer
cc8712e3a1ef6a730a68805e62971d3da99efcbf120fb627d1c7315b3ca35f8b
RedLineStealer
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523
RedLineStealer
fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd
RedLineStealer
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210719-l2whzxss1n/
Unpacked files
SH256 hash:
6d27f2de1e4f2126e11f0031826c02e815d5462d7789b642f59603c5ec5d616f
MD5 hash:
fd049d2d63a5c8a04a1955f9d3b4acd0
SHA1 hash:
3c8bb918ca5dd9ba37dec92512b0a09a16257c37
Link:
https://www.unpac.me/results/4f8cf105-e6f5-4f40-a9dd-18eb3c3b3b1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d27f2de1e4f2126e11f0031826c02e815d5462d7789b642f59603c5ec5d616f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

gz d7151920849dd1270baa5fcd224f201158b553623f27421be29885e4c17badd4

RedLineStealer

Executable exe 6d27f2de1e4f2126e11f0031826c02e815d5462d7789b642f59603c5ec5d616f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d7151920849dd1270baa5fcd224f201158b553623f27421be29885e4c17badd4
Cape
Cape
https://www.capesandbox.com/analysis/172467/

Comments