MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bf0629c5fa2fc821172ac5131d559debbffd89ed9cdcaa2e3963dbb67d2f734. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bf0629c5fa2fc821172ac5131d559debbffd89ed9cdcaa2e3963dbb67d2f734
SHA3-384 hash: e8b3c316dbd37b4261f5e4e9f60ac173a1f326f96cb6aae4d6114e5252557b019211850d77da4e35ee95658cbf36559c
SHA1 hash: e8b7d673ac67a98adae788f817dec31eb356b4f9
MD5 hash: 92cafcc529ec3b0d6640f7d6569102da
humanhash: apart-yellow-low-maryland
File name:Ghanim Trading LLC-RFQ78009000.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:872'960 bytes
First seen:2021-06-15 13:49:22 UTC
Last seen:2021-06-15 14:53:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:DcPc9EuzXvFmWJfkN++Ay+7BqWMSycfpFoZxrDR4Iy6fbyJJ1P494Xj6pH7R3QRJ:DT5MioZxrDVy2I6kV+quPHpXa62
Threatray 309 similar samples on MalwareBazaar
TLSH CF05CE522EA46A99F4F95B317DF0431203FB7D127B2BE7DD6E8471CD2867E808662312
Reporter malwarelabnet
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ghanim Trading LLC-RFQ78009000.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-15 12:56:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef55499c-6ccc-425e-8af8-ed4a683824fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.13482.17538.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e4654bc-1bd3-4984-8556-a8a16e0a6e79
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/802464
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bf0629c5fa2fc821172ac5131d559debbffd89ed9cdcaa2e3963dbb67d2f734/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 11:19:42 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rpygfhc7ul6ieelsvritdvkz32577we63hg4vixdsy63wz6s642a._file
Verdict:
unknown
Similar samples:
2e826b4ff8b272db629c4983e9edd53656cc4a2e9d24178ebd2b6a8890d1e864
RedLineStealer
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
RedLineStealer
31f7d71ca24fbde43953ebf5e0518c065b795cef8e7b021ca7fbf31a06ce9348
RedLineStealer
564d8ca154a08dbbe3af33d3ec5b5345c31fa8a56d536f9b22063c99db8455d7
RedLineStealer
6bc296fc9ae6bdb27ca23398f69bfb7b44d69734ff0e03a3322fdf688117e2f5
RedLineStealer
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
RedLineStealer
c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872
RedLineStealer
cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069
RedLineStealer
d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1
RedLineStealer
f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147
RedLineStealer
+ 299 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210615-q57y6hge7j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
82fe42ffa7c2160c4ba79b666ba52f6dce210e0be5cbbb1419ddf3058215568b
MD5 hash:
a7c717e07a9e8fc3408914687859cf8a
SHA1 hash:
862f0e3f4f99c7674a540327ba08792e8a6cf5a1
Link:
https://www.unpac.me/results/bab822e9-3ddf-4ca9-9624-2dbfe594d0f2/
SH256 hash:
8bf0629c5fa2fc821172ac5131d559debbffd89ed9cdcaa2e3963dbb67d2f734
MD5 hash:
92cafcc529ec3b0d6640f7d6569102da
SHA1 hash:
e8b7d673ac67a98adae788f817dec31eb356b4f9
Link:
https://www.unpac.me/results/bab822e9-3ddf-4ca9-9624-2dbfe594d0f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/8bf0629c5fa2fc821172ac5131d559debbffd89ed9cdcaa2e3963dbb67d2f734

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments