MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 897f62b228d85313c9553a59c7591e8eb2d43c0abb4dec0c15784bfe00d8faf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 897f62b228d85313c9553a59c7591e8eb2d43c0abb4dec0c15784bfe00d8faf9
SHA3-384 hash: 30b4e66ed5efc2ac68bef2486e85dfc3e3c655cff2da96e4e8f4883e02fd8e443e21e65f8227a8f60a9a89e877e9808b
SHA1 hash: a680e18ac2f9a0c795fd406942c4b4081940530c
MD5 hash: 0aef2e930d75644971293b419521997a
humanhash: music-washington-fish-alaska
File name:SecuriteInfo.com.Win32.PWSX-genTrj.14465.12544
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:136'704 bytes
First seen:2021-09-11 21:12:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 1536:4O6SFQ2gQF6V0YkaQykBIqAMuK5FZs3YSh:r6P2/F6o1Ffuoo
Threatray 1'101 similar samples on MalwareBazaar
TLSH T1BAD37032EC134822DF8F393DEC9F0BDB2A9C81942615F7465055665C5A3CEBAC8F9E12
dhash icon 4cd4b2b29898c44c (2 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-genTrj.14465.12544
Verdict:
Malicious activity
Analysis date:
2021-09-11 21:15:45 UTC
Tags:
stealer evasion
Link:
https://app.any.run/tasks/70c022e9-35e2-4551-9891-22e86e984d27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187104/
Detection(s):
SecuriteInfo.com.Win32.PWSX-genTrj.14465.12544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/510ad5f7-a031-4ccb-b1be-ec4af59408ae
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849276
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481705 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 5 other signatures 2->97 12 SecuriteInfo.com.Win32.PWSX-genTrj.14465.exe 15 8 2->12         started        17 WinHoster.exe 2->17         started        process3 dnsIp4 85 iplogger.org 88.99.66.31, 443, 49744, 49745 HETZNER-ASDE Germany 12->85 87 startupmart.bar 104.21.37.182, 443, 49736, 49737 CLOUDFLARENETUS United States 12->87 73 C:\ProgramData\6815721.exe, PE32 12->73 dropped 75 C:\ProgramData\4272366.exe, PE32 12->75 dropped 77 C:\ProgramData\3224579.exe, PE32 12->77 dropped 79 2 other files (1 malicious) 12->79 dropped 109 May check the online IP address of the machine 12->109 19 3224579.exe 7 12->19         started        22 6815721.exe 1 4 12->22         started        25 4272366.exe 14 22 12->25         started        28 7009875.exe 15 11 12->28         started        file5 signatures6 process7 dnsIp8 101 Machine Learning detection for dropped file 19->101 30 mshta.exe 19->30         started        59 C:\Users\user\AppData\...\WinHoster.exe, PE32 22->59 dropped 103 Detected unpacking (changes PE section rights) 22->103 32 WinHoster.exe 2 22->32         started        81 wheelllc.bar 172.67.136.53, 443, 49742, 49754 CLOUDFLARENETUS United States 25->81 105 Tries to harvest and steal browser information (history, passwords, etc) 25->105 35 WerFault.exe 25->35         started        83 phonefix.bar 172.67.131.66, 443, 49746 CLOUDFLARENETUS United States 28->83 61 C:\ProgramData\70\vcruntime140.dll, PE32 28->61 dropped 63 C:\ProgramData\70\sqlite3.dll, PE32 28->63 dropped 65 C:\ProgramData\70\softokn3.dll, PE32 28->65 dropped 67 4 other files (none is malicious) 28->67 dropped 37 WerFault.exe 28->37         started        file9 signatures10 process11 signatures12 39 cmd.exe 30->39         started        89 Detected unpacking (changes PE section rights) 32->89 process13 file14 69 C:\Users\user\AppData\...\C3KHKEn~m73GVLA.exE, PE32 39->69 dropped 42 C3KHKEn~m73GVLA.exE 39->42         started        46 conhost.exe 39->46         started        48 taskkill.exe 39->48         started        process15 file16 71 C:\Users\user\AppData\Local\Temp\zyYHq.U, PE32 42->71 dropped 107 Machine Learning detection for dropped file 42->107 50 rundll32.exe 42->50         started        53 mshta.exe 42->53         started        signatures17 process18 signatures19 99 Contains functionality to detect sleep reduction / modifications 50->99 55 cmd.exe 53->55         started        process20 process21 57 conhost.exe 55->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/897f62b228d85313c9553a59c7591e8eb2d43c0abb4dec0c15784bfe00d8faf9/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 19:30:30 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0baa32b7bcb4277b45bd1fef249f5753a1034a1b5fc02b4f7a07fbaf95939cdd
RedLineStealer
137c8e3e5c12b84d31907c3b8adccae1f3c19177ad410f36e423b5efa425af19
RedLineStealer
1f5bcf8999a43561cd15a17772e87ab3a304a2e6062b94a66ff526c358c4ee8e
RedLineStealer
26b7bd2300a9c08d3ef195f92847c8981c0ffcb4a2055002592c8f24c96506ea
RedLineStealer
44a14aed4c8b6d771d10522817dbdc97d4dfe1be4f9ae3e45749502c51a73c8c
RedLineStealer
4737ea5151d02ccd6fdf58f879792c4e0b8a682005bdea63f28c373156d407cc
RedLineStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RedLineStealer
ac5e6f8e646311bf3645ccdccf7119712ada6811d973444d3a763d17083ef028
RedLineStealer
f5aae19b73a4833e19ccff1b95dafa7b0c31a1def9bbaa5480593af68b2f4c85
RedLineStealer
+ 1'091 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/210911-z2q5jsbgd4/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
897f62b228d85313c9553a59c7591e8eb2d43c0abb4dec0c15784bfe00d8faf9
MD5 hash:
0aef2e930d75644971293b419521997a
SHA1 hash:
a680e18ac2f9a0c795fd406942c4b4081940530c
Link:
https://www.unpac.me/results/c06bf550-e855-483a-ba44-e53ad80c4804/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/897f62b228d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/897f62b228d85313c9553a59c7591e8eb2d43c0abb4dec0c15784bfe00d8faf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 897f62b228d85313c9553a59c7591e8eb2d43c0abb4dec0c15784bfe00d8faf9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1611572/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187104/

Comments