MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b94c5e08aae309d279d90699957b12e670587ce168ac7b86596e1d7d0e2047e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	8b94c5e08aae309d279d90699957b12e670587ce168ac7b86596e1d7d0e2047e
SHA3-384 hash:	dce3141c4b8afa67b2746a6598a18e14d3d22ee3ae8cb5ca1c7dfa1256d4dd781eac43d1d0269cb5a29b3e494b62469a
SHA1 hash:	b4c8fbc7ff5423f097b70c2e233a8b200d7240a2
MD5 hash:	d9257be3e2957808186d0c6accd224ab
humanhash:	princess-batman-six-mississippi
File name:	setup_s.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	802'256 bytes
First seen:	2021-09-07 06:26:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:mPbqQ6aePHLWaVocDBp1xmevlUCbymma2OYIj:6qvfLWaKcDz/5MaT
Threatray	212 similar samples on MalwareBazaar
TLSH	T10105F741E184ECDAC13F23F7E8BDE62059199F8FA234456A2B697E0670A3343719BD4D
dhash icon	d4888e86868eaedc (1 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	bitbucket.org exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup_s.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-07 06:59:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cfbbe76d-e3ee-46ce-bd88-7056faf6cfac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185912/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Reading critical registry keys

Launching cmd.exe command interpreter

Launching a process

Query of malicious DNS domain

Stealing user critical data

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12b0578e-f6ea-4c65-8683-fd926af8fea4

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/846308

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8b94c5e08aae309d279d90699957b12e670587ce168ac7b86596e1d7d0e2047e/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-08-19 00:08:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 43 (62.79%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

268b6f7eebdac30d86ff06f718e9289284380c6dfc97803f55fe0156abefd907

RedLineStealer

3c47f8bdb6cb223b1b28ad2401962949c90f1780028be03d775b7d4322aef6f0

RedLineStealer

4047099fa48723c13197f32b1b1c4ca5c450231d1bf8b693df939eb16363f4b0

RedLineStealer

796641693606c51475b6f29a63a9568729b097660ea2cfd9e15b610325dd0b93

RedLineStealer

9c3bd592fc9da10ff2b30b73f2195bad21df56f347eca2011904cf6d00a9a5e2

RedLineStealer

c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782

RedLineStealer

d4e27b8e7e1fd965522468bdc3eaf06513dd3a3e7402d9b441ab002dfc892adc

RedLineStealer

f368e01fbba37ee10ab9a92e0aba1f68f7b92f7bc67a4670fcfb0d93f87be451

RedLineStealer

+ 202 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/210907-g7sapafcfq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

25169e83ad1ad2ef8158fd3cc3316b76e00b0e7aa0bea48535da6763d51c0eea

MD5 hash:

336f07f02ef91f1035073dd620e846cf

SHA1 hash:

d0dc3dfa500aa80ffc59367ae1df96e1b42de40a

Link:

https://www.unpac.me/results/04f0cbc9-b9ef-4f46-a06c-86fd6efec2ac/

SH256 hash:

7605be791c9d6e5200faa2f17841b819de95920910ca83faa8c83e8bd88d3945

MD5 hash:

f1b083cc0828f008ef914dc91e57373d

SHA1 hash:

c271f903c27fc76474bebbffb71dc888fdcae041

Link:

https://www.unpac.me/results/04f0cbc9-b9ef-4f46-a06c-86fd6efec2ac/

SH256 hash:

490dc06d0c4b9883654b85298b29ae2bcb0316284a2311d33cfa36c2e7315eaf

MD5 hash:

28d8254ea790e0a8af1af2a30ab63e33

SHA1 hash:

8fdb05c91f6d449664c7894c2bed9f3366b6835c

Link:

https://www.unpac.me/results/04f0cbc9-b9ef-4f46-a06c-86fd6efec2ac/

SH256 hash:

734837177c33399f5dbdb87b3589c2171a094d4913b0e5b32c4a6edb8132ae4b

MD5 hash:

2dd178c70c8889b30f34edcb197846b1

SHA1 hash:

271f1261a2e2d6b07b288dab8ce0311191c00054

Link:

https://www.unpac.me/results/04f0cbc9-b9ef-4f46-a06c-86fd6efec2ac/

SH256 hash:

8b94c5e08aae309d279d90699957b12e670587ce168ac7b86596e1d7d0e2047e

MD5 hash:

d9257be3e2957808186d0c6accd224ab

SHA1 hash:

b4c8fbc7ff5423f097b70c2e233a8b200d7240a2

Link:

https://www.unpac.me/results/04f0cbc9-b9ef-4f46-a06c-86fd6efec2ac/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/8b94c5e08aae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8b94c5e08aae309d279d90699957b12e670587ce168ac7b86596e1d7d0e2047e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185912/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample