MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85c33710a2a0b804e04d953029df47330b86b90752130210226617cf51efa24b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85c33710a2a0b804e04d953029df47330b86b90752130210226617cf51efa24b
SHA3-384 hash: 9375303a36ba6e597061c84c53a5b16037bb3afd236a8f026ca75d818e33b7c3f28d797b0e528c19ce4e7cf3b7b054b9
SHA1 hash: 14e83c5a384a093185dab06a63230478053953d8
MD5 hash: 9c9e61bb17c37a99e69ce8a19866b755
humanhash: three-mike-hydrogen-snake
File name:9c9e61bb17c37a99e69ce8a19866b755.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:111'616 bytes
First seen:2021-08-17 13:27:51 UTC
Last seen:2021-08-17 14:11:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:Pd5Bpo22WM8jPN8BNRoP/UPo1iFjbkBXYxAe4S8Y:JiWME18XyP/UPo1iFjbkBXYxAer8
Threatray 2'895 similar samples on MalwareBazaar
TLSH T1A5B3CB9D766072DFC85BD472DEA82C64EA60647B931B9203E01716EDEE0D89BCF150F2
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9c9e61bb17c37a99e69ce8a19866b755.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 13:39:19 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/33a556d7-0332-438e-b113-fc2b4c850c15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179970/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37395072.18810.6.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f78ebfcc-5aa7-4d48-9b04-0dd99ede5522
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/834362
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85c33710a2a0b804e04d953029df47330b86b90752130210226617cf51efa24b/
Threat name:
ByteCode-MSIL.Spyware.Bobik
Create hunting rule
Status:
Malicious
First seen:
2021-08-13 22:56:49 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
17481cdb2d9566e16b46d94992aaf665bc2414c67777b27ad8714904b46fb341
RedLineStealer
4106d7796887912eef46c78f6f62593d12152ae114e6e67c004afcaddb4296f5
RedLineStealer
66428bc7e93f0c6e440d5d078506a28a53d5f65df1382b733206c68659076c84
RedLineStealer
69fd68e42bf6c97d7d97134c248ced79cd81fe6b58873b3d31558bf4d875a097
RedLineStealer
9e955a45b4cfc93907301667eb452539354da528fafdcaeb45da78a7388981cf
RedLineStealer
b8c82e3b1a2c2b7393336f45b8c69a11838dcfb4c6823865102ca09080f56757
RedLineStealer
f5a541e463d4446bbe18d539e3fc65ee4fd0319aedfef463f7b03332d05a34d5
RedLineStealer
f974f658397b27bbc57a78873cfbebe57a8ff2742fc9b8bc4a69bc6736625099
RedLineStealer
f9db53d550731012ca850383afa5bdaa9093bb04a15e7dfbe7806acc1041d4cb
RedLineStealer
+ 2'885 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/210817-4xcnfn7vta/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Unpacked files
SH256 hash:
86a57f69df5101551f01032192ee286ed749c31cc368651c841fe27969dc5d94
MD5 hash:
99323037a7952f1320f1e221c67e6905
SHA1 hash:
58784edded7ee0de61c87614b6c3d96a27623a26
Link:
https://www.unpac.me/results/3a4e56b9-2996-447f-8da5-f6154144c6c7/
SH256 hash:
85c33710a2a0b804e04d953029df47330b86b90752130210226617cf51efa24b
MD5 hash:
9c9e61bb17c37a99e69ce8a19866b755
SHA1 hash:
14e83c5a384a093185dab06a63230478053953d8
Link:
https://www.unpac.me/results/3a4e56b9-2996-447f-8da5-f6154144c6c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/85c33710a2a0b804e04d953029df47330b86b90752130210226617cf51efa24b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179970/

Comments