MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82db91ac779a5be13c8cb0ec1317c294a6447cef309083d19dbc0f661292d362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82db91ac779a5be13c8cb0ec1317c294a6447cef309083d19dbc0f661292d362
SHA3-384 hash: 2e089e4b7f4f3aed47e7d107e46f7be363f5485ecec78161ae20cde402b70d380d78fe857ea9d75f0f157cfe3f755d5c
SHA1 hash: bebbef65b62b3759137a5a051940ac534b99b8dd
MD5 hash: 266139db1a0d9551c759fac7f4e80eb2
humanhash: diet-sad-march-lima
File name:WindowsFormsApp1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:20'992 bytes
First seen:2021-07-15 19:00:01 UTC
Last seen:2021-07-15 19:43:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:WasY/Em4vp6hdd6Sp6CQKh35PxJZxy/JaJHb2PDMLap9Bgf:t//gp6p6Sx5JlKsnEgf
Threatray 1'060 similar samples on MalwareBazaar
TLSH T1B19209193180F228D2E70A701C63F970377897B05851E20EE0A56A5CCF436FAB9EDDDA
Reporter James_inthe_box
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Phonzy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172066/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.3296.31661.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc27cacf-dbb4-4845-bffb-6885f128febd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817146
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Service Binary Directory
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449557 Sample: WindowsFormsApp1.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 63 prda.aadg.msidentity.com 2->63 65 clientconfig.passport.net 2->65 75 Multi AV Scanner detection for domain / URL 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Sigma detected: Suspect Svchost Activity 2->79 81 6 other signatures 2->81 8 svchost.exe 2->8         started        11 WindowsFormsApp1.exe 18 9 2->11         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 85 System process connects to network (likely due to code injection or exploit) 8->85 87 Multi AV Scanner detection for dropped file 8->87 89 Machine Learning detection for dropped file 8->89 19 svchost.exe 8->19         started        23 powershell.exe 8->23         started        25 powershell.exe 8->25         started        27 powershell.exe 8->27         started        71 bakercost.gq 104.21.13.164, 443, 49700 CLOUDFLARENETUS United States 11->71 57 C:\Users\Public\Documents\...\svchost.exe, PE32 11->57 dropped 59 C:\Users\user\...\WindowsFormsApp1.exe.log, ASCII 11->59 dropped 61 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 11->61 dropped 91 Adds a directory exclusion to Windows Defender 11->91 93 Drops PE files with benign system names 11->93 29 powershell.exe 25 11->29         started        31 powershell.exe 24 11->31         started        33 powershell.exe 11->33         started        35 WindowsFormsApp1.exe 11->35         started        37 4 other processes 15->37 73 127.0.0.1 unknown unknown 17->73 95 Changes security center settings (notifications, updates, antivirus, firewall) 17->95 file6 signatures7 process8 dnsIp9 67 premiumservice.awsmppl.com 194.187.251.163, 49737, 58867 M247GB United Kingdom 19->67 69 192.168.2.1 unknown unknown 19->69 83 System process connects to network (likely due to code injection or exploit) 19->83 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 37->51         started        53 conhost.exe 37->53         started        55 conhost.exe 37->55         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82db91ac779a5be13c8cb0ec1317c294a6447cef309083d19dbc0f661292d362/
Threat name:
ByteCode-MSIL.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-15 18:59:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
8 of 27 (29.63%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00668082deeb1c79ed4a3b9cc93bdcb63a49a67dce5f931c0ec4de660a758334
RedLineStealer
089e8696eff20b84e89e801127624dada3b321b0523d45cb648d437af4271716
RedLineStealer
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
RedLineStealer
41ec47ce62f13677c0c4576c97e299471072aa9ade05670ad0aefdbbd9187fca
RedLineStealer
68815fd1b30680f0810f01b9d651b31995e2dbce667d2e2a785eab4c1e56765c
RedLineStealer
7376d32f8171d48ea13d212885e8cb3701913eb054c2431adc9782e465d271e0
RedLineStealer
74fcf52e21cc888d770d0b11d411a10bf58b17de81d9376856a381f416bf1a39
RedLineStealer
ac2f6be5e15c9c9344043219d8487fdbe92ad443fa23b195b4f4baee5500a5f9
RedLineStealer
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
RedLineStealer
f8292298f2fe8d14012c0c6d4b98ef47d38dfb0e8e359a81fbcfd338d915dfbb
RedLineStealer
+ 1'050 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210715-268g14ag1x/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
autoit_exe
Adds Run key to start application
Windows security modification
Windows security bypass
Unpacked files
SH256 hash:
82db91ac779a5be13c8cb0ec1317c294a6447cef309083d19dbc0f661292d362
MD5 hash:
266139db1a0d9551c759fac7f4e80eb2
SHA1 hash:
bebbef65b62b3759137a5a051940ac534b99b8dd
Link:
https://www.unpac.me/results/64ea7fbd-2b11-4538-b97a-c3b778a23312/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/82db91ac779a5be13c8cb0ec1317c294a6447cef309083d19dbc0f661292d362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/172066/

Comments