MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80227896b81e39620f95acf0da9b41f8d555719fbe1cce0b5e341e7a0a307b0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80227896b81e39620f95acf0da9b41f8d555719fbe1cce0b5e341e7a0a307b0d
SHA3-384 hash: b9865e2784dd81aa1fec02ec4090dd828d4ea8abba3ec79d1f9ae6487fac7ec3f220d065e008b1a70e17562187d3184c
SHA1 hash: 23698060c20c0046e96f757c269ec180a0dfc825
MD5 hash: 0ae05b41cfe5df9aa28b927fbe2f5906
humanhash: pluto-emma-arkansas-fanta
File name:0ae05b41cfe5df9aa28b927fbe2f5906
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:795'648 bytes
First seen:2021-06-24 12:53:31 UTC
Last seen:2021-06-24 13:54:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:Nje74j3d0PJ/R8ZBA130X/EAb3xVufRyP:d
Threatray 91 similar samples on MalwareBazaar
TLSH 2B053D1868BFD11960E3FEA12EDCA4FBD99E55E3240D747B106163278B12B80DE8F479
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ae05b41cfe5df9aa28b927fbe2f5906
Verdict:
Malicious activity
Analysis date:
2021-06-24 12:56:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ae75efe-3d59-4f4e-9201-c7f45bf2745f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168035/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.109.9524.5606.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a9b1ba1-74c3-46c1-a5e9-f6f83d845f5e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/807478
Signature
.NET source code contains very large strings
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439896 Sample: pUrNb19Owu Startdate: 24/06/2021 Architecture: WINDOWS Score: 68 34 Multi AV Scanner detection for dropped file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 .NET source code contains very large strings 2->38 8 pUrNb19Owu.exe 4 2->8         started        12 pUrNb19Owu.exe 3 2->12         started        process3 file4 28 C:\Users\user\AppData\...\pUrNb19Owu.exe.log, ASCII 8->28 dropped 42 Drops PE files to the startup folder 8->42 14 pUrNb19Owu.exe 2 8->14         started        17 conhost.exe 8->17         started        44 Injects a PE file into a foreign processes 12->44 19 conhost.exe 12->19         started        21 pUrNb19Owu.exe 12->21         started        signatures5 process6 file7 30 C:\Users\user\AppData\...\pUrNb19Owu.exe, PE32 14->30 dropped 32 C:\Users\...\pUrNb19Owu.exe:Zone.Identifier, ASCII 14->32 dropped 23 pUrNb19Owu.exe 2 14->23         started        process8 signatures9 40 Injects a PE file into a foreign processes 23->40 26 pUrNb19Owu.exe 23->26         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80227896b81e39620f95acf0da9b41f8d555719fbe1cce0b5e341e7a0a307b0d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 01:54:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
RedLineStealer
416759a2c6d7a277aaea4f313f09ab1ff34538ec80edc749ab062f6051454ac3
RedLineStealer
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
RedLineStealer
8040940621af7b77ecbb66d16ca8fc924900960d48665247aa3f77d4de560c9a
RedLineStealer
90addde215f91e26c72e94c4242a924d6814c0b3140dd64ed8e671bd636d02dc
RedLineStealer
9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9
RedLineStealer
983c0382ec70c1735beee57fef88ca9fc6f5f3dfbf457e548790518408339cee
RedLineStealer
b751a245f558db84cf77e46e473073e2dd23fbde9f9d150d63e525bbf4b88e8c
RedLineStealer
ba9c1b8eca8da8168c6e5db31aacf36d2b9859054992d05e06faa61927ce3d59
RedLineStealer
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
RedLineStealer
+ 81 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210624-6k9bwys26s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
02aa7be52bce67b582d996d58fe0e904fd35c385c757967a41310a994b935978
MD5 hash:
44dba44f0197dd6d2ec7df2694e2f786
SHA1 hash:
74c0ec4c5066d8621ffb9bbc0e0b007c551aac57
Link:
https://www.unpac.me/results/57c7637b-475d-42b2-93d0-20f2f7598793/
SH256 hash:
80227896b81e39620f95acf0da9b41f8d555719fbe1cce0b5e341e7a0a307b0d
MD5 hash:
0ae05b41cfe5df9aa28b927fbe2f5906
SHA1 hash:
23698060c20c0046e96f757c269ec180a0dfc825
Link:
https://www.unpac.me/results/57c7637b-475d-42b2-93d0-20f2f7598793/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/80227896b81e39620f95acf0da9b41f8d555719fbe1cce0b5e341e7a0a307b0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 80227896b81e39620f95acf0da9b41f8d555719fbe1cce0b5e341e7a0a307b0d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394657/
Cape
Cape
https://www.capesandbox.com/analysis/168035/

Comments