MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86a8ee23cb943b383835eb2ba8bc513641ee6953ba1715832a8a485931054273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86a8ee23cb943b383835eb2ba8bc513641ee6953ba1715832a8a485931054273
SHA3-384 hash: 84eeab5cba9223492c551ec5208440afe1b6bd137c9e95e8a205601896d63864aa3b98af37597896f78c11c5c5782699
SHA1 hash: fb4f6f0110940c862b646a665b3bbd4ac698dab2
MD5 hash: ae0a604568552b69066115df36efd41f
humanhash: salami-sad-pennsylvania-purple
File name:Invoice_VC85262241.xll
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:600'064 bytes
First seen:2022-05-12 07:24:26 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:tn/zDvGHAykHSzLW/4+8bzbBSreMd8PaTgFK/UqWV:BzbGHAzHAjX1MTcLV
Threatray 106 similar samples on MalwareBazaar
TLSH T165D48E57F7C7FAB0E6BE827A86B1851C527774920260A78F674072896D23392493DF0F
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:RedLineStealer xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/86a8ee23cb943b383835eb2ba8bc513641ee6953ba1715832a8a485931054273/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/627cb69a804c0977d3e4f722/reports/d9ab5cc3-a9fd-4133-97f9-2d893fdec2c7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992687
Signature
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office process drops PE file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86a8ee23cb943b383835eb2ba8bc513641ee6953ba1715832a8a485931054273/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-12 07:25:08 UTC
File Type:
PE+ (Dll)
Extracted files:
3
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2uo4i6lsq5tqobv5mv2rpcrgza642ktxilrlazkrjefsmifijzq._file
Verdict:
unknown
Similar samples:
044233e16f3e3ff7dcdeab11bfa49a9e99c943f2f97ee293705e45b9558c2bbb
RedLineStealer
983ffa1a7513ab6d015e1c4785bda2a2f20a47bf6091773db9341ebcdaf84e93
RedLineStealer
aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088
RedLineStealer
b3f6afb079d5d25bea3a043d033091d5a0a8fde399c900a6337bc5e1dd65d279
RedLineStealer
c7ecbd646727c85760706a61c2283909c13cb5cd80f51f3ce5af83ed438d293d
RedLineStealer
cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861
RedLineStealer
d340898f14aaa9f884b022b4be1b849eae4be5e275432348dc6bcb1fa09e28cb
RedLineStealer
dba5353ab99e0d16f30cf5ee5f1f160493b9a9b6364c71197e573f81e4145e75
RedLineStealer
e5013497a297e36f89cc5dc3e369faf27bb9b88684cad53accad8b006433a6c5
RedLineStealer
e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7
RedLineStealer
+ 96 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220512-h9jl1adggm/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86a8ee23cb943b383835eb2ba8bc513641ee6953ba1715832a8a485931054273

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Excel file xll 86a8ee23cb943b383835eb2ba8bc513641ee6953ba1715832a8a485931054273

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments