MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9532095cf936beca817c76c65d6cfe9a3153e5b8e6337b767207c8b37b39cfa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9532095cf936beca817c76c65d6cfe9a3153e5b8e6337b767207c8b37b39cfa6
SHA3-384 hash: ce7c861845a6a76ee39c607ff471a35c9bb4b35aa4130ca255ec80ed6623da90e78d22c08c288e51390064ec09c47fd3
SHA1 hash: 2e4c2f400887430de2752200d1d986e3529d5530
MD5 hash: c94495cf042b2415ca1aa23282094982
humanhash: floor-blue-uniform-charlie
File name:c94495cf042b2415ca1aa23282094982
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:137'216 bytes
First seen:2021-09-11 18:50:46 UTC
Last seen:2021-09-11 21:12:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:Nne9iDY+SXsQ7PJYM3SbZKbj+HuR82D0IxEGrIXmLQKvAzW3BZUN+u6vmyMX2qDU:JejF7xh38Kbj+2D0ev6WoNVX1t99fe
Threatray 287 similar samples on MalwareBazaar
TLSH T1A2D3A432EC134822CB8F353DEC9F0BCB2A5C81542655F746A055666C5A3CEBEC9F9E12
dhash icon 4cd4b2b29898c44c (2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c94495cf042b2415ca1aa23282094982
Verdict:
Malicious activity
Analysis date:
2021-09-11 18:52:41 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/0b931a49-7a7e-4c67-8d67-287a7f06a43e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187093/
Detection(s):
SecuriteInfo.com.ArtemisC94495CF042B.10054.30746.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e859a77e-545b-467e-9074-a79a71824306
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849253
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSHTA Spawning Windows Shell
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481682 Sample: DcyCBedo25 Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 3 other signatures 2->98 12 DcyCBedo25.exe 15 8 2->12         started        17 WinHoster.exe 2->17         started        process3 dnsIp4 86 iplogger.org 88.99.66.31, 443, 49745, 49747 HETZNER-ASDE Germany 12->86 88 startupmart.bar 104.21.37.182, 443, 49737, 49738 CLOUDFLARENETUS United States 12->88 90 192.168.2.1 unknown unknown 12->90 74 C:\ProgramData\4610115.exe, PE32 12->74 dropped 76 C:\ProgramData\3562328.exe, PE32 12->76 dropped 78 C:\ProgramData\3464902.exe, PE32 12->78 dropped 80 2 other files (1 malicious) 12->80 dropped 110 May check the online IP address of the machine 12->110 19 3464902.exe 1 4 12->19         started        23 3562328.exe 7 12->23         started        25 4610115.exe 14 22 12->25         started        28 7347624.exe 15 11 12->28         started        file5 signatures6 process7 dnsIp8 60 C:\Users\user\AppData\...\WinHoster.exe, PE32 19->60 dropped 102 Multi AV Scanner detection for dropped file 19->102 104 Detected unpacking (changes PE section rights) 19->104 106 Machine Learning detection for dropped file 19->106 30 WinHoster.exe 2 19->30         started        33 mshta.exe 23->33         started        82 wheelllc.bar 172.67.136.53, 443, 49742, 49755 CLOUDFLARENETUS United States 25->82 108 Tries to harvest and steal browser information (history, passwords, etc) 25->108 35 WerFault.exe 25->35         started        37 WerFault.exe 25->37         started        84 phonefix.bar 104.21.10.67, 443, 49746 CLOUDFLARENETUS United States 28->84 62 C:\ProgramData\41\vcruntime140.dll, PE32 28->62 dropped 64 C:\ProgramData\41\sqlite3.dll, PE32 28->64 dropped 66 C:\ProgramData\41\softokn3.dll, PE32 28->66 dropped 68 4 other files (none is malicious) 28->68 dropped 39 WerFault.exe 28->39         started        file9 signatures10 process11 signatures12 112 Detected unpacking (changes PE section rights) 30->112 41 cmd.exe 33->41         started        process13 file14 70 C:\Users\user\AppData\Local\Temp\uIA5.eXE, PE32 41->70 dropped 44 uIA5.eXE 41->44         started        47 conhost.exe 41->47         started        49 taskkill.exe 41->49         started        process15 file16 72 C:\Users\user\AppData\Local\Temp\MVqj65p._, PE32 44->72 dropped 51 rundll32.exe 44->51         started        54 mshta.exe 44->54         started        process17 signatures18 100 Contains functionality to detect sleep reduction / modifications 51->100 56 cmd.exe 54->56         started        process19 process20 58 conhost.exe 56->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9532095cf936beca817c76c65d6cfe9a3153e5b8e6337b767207c8b37b39cfa6/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 17:11:12 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0af8d47a09b1f5ea9544e89eb83e8a572b8a78fcb28db74ee523da4b1797cd3e
RedLineStealer
137c8e3e5c12b84d31907c3b8adccae1f3c19177ad410f36e423b5efa425af19
RedLineStealer
24eb0bd021f8e1c1279ca74e2f6d9f9d0ac68734e84811a5ba9f7ea70f730bbd
RedLineStealer
44a14aed4c8b6d771d10522817dbdc97d4dfe1be4f9ae3e45749502c51a73c8c
RedLineStealer
4737ea5151d02ccd6fdf58f879792c4e0b8a682005bdea63f28c373156d407cc
RedLineStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RedLineStealer
ac5e6f8e646311bf3645ccdccf7119712ada6811d973444d3a763d17083ef028
RedLineStealer
c9d7ca6e47124b6b22a43986d6f21ec70c0173a2d72553595f87c6450d103e2a
RedLineStealer
f5aae19b73a4833e19ccff1b95dafa7b0c31a1def9bbaa5480593af68b2f4c85
RedLineStealer
f6aa394f7b0a0f629da6831a1134e4a6cbf21c70dce7f4133319d638d4b58023
RedLineStealer
+ 277 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/210911-xhhb7aefgp/
Behaviour
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
9532095cf936beca817c76c65d6cfe9a3153e5b8e6337b767207c8b37b39cfa6
MD5 hash:
c94495cf042b2415ca1aa23282094982
SHA1 hash:
2e4c2f400887430de2752200d1d986e3529d5530
Link:
https://www.unpac.me/results/7b9a7aaa-1f23-4d05-b0a0-0057dc515140/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9532095cf936/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9532095cf936beca817c76c65d6cfe9a3153e5b8e6337b767207c8b37b39cfa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9532095cf936beca817c76c65d6cfe9a3153e5b8e6337b767207c8b37b39cfa6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1611577/
Cape
Cape
https://www.capesandbox.com/analysis/187093/

Comments


Avatar
zbet commented on 2021-09-11 18:50:47 UTC

url : hxxps://www.svanaturals.com/sva/pdf_finals/dompdf/PublicDwlBrowser155.exe