MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cc5b0fd79e8aa94ce95bd47d074b18583b0690881d742841848aff2865f3714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	9cc5b0fd79e8aa94ce95bd47d074b18583b0690881d742841848aff2865f3714
SHA3-384 hash:	61f5ded276ea3c340290342487ca62b9f8dde39d3818f06dfe8de1759d9f27b414c0ba9c2ee6f0003e4a9028131fc072
SHA1 hash:	3c20b6064a0b790964b09288da59e04908aa8b64
MD5 hash:	23ade93958819f56138c24e5544c68be
humanhash:	robin-delaware-seven-winter
File name:	23ade939_by_Libranalysis
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	208'896 bytes
First seen:	2021-05-09 20:04:49 UTC
Last seen:	2021-05-09 20:42:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:QKsJ/AY2IJRsop7RY7vasGN3cF8MkKrINEf0QRCB:QvJ4YFJXRY7vasicbvMyVU
Threatray	42 similar samples on MalwareBazaar
TLSH	3D140107B748D5B2D9D84E7BC6EA25048331EB577016E19E3CCE6352991B3EF2D088E9
Reporter	Libranalysis
Tags:	RedLineStealer

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/153604/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.712.17519.2659.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Creating a process from a recently created file

Creating a file

Creating a window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun

Deleting of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9cc5b0fd79e8aa94ce95bd47d074b18583b0690881d742841848aff2865f3714/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2021-05-08 00:58:13 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

3/5

Verdict:

unknown

RedLineStealer

1a3c8d4c234d4766225d3b266d3287d2412c1f7a7349456490971fdd811ce5e7

RedLineStealer

21a80acf73e3f20e162bcd9e70aafa28681be230056a51bd92677a554e6d3ad9

RedLineStealer

230105e9e7579165b1cfa4088219f9b16723242873b5167f55e639b0b2376b49

RedLineStealer

2afd183ed90b0d240dad19c417fa762da0295aa0614dd20809b406e33ff2304f

RedLineStealer

76455f7336aa729ffcfa29bfd7b2d558be37e5996b6906c56f6a7e7d01a52764

RedLineStealer

b8f8eab3a49bec6b9306853e8e5e2da49ba66b5773b259a2d6edfba479d10e85

RedLineStealer

c28d812d61b0fd0a86fce89b6ad22f29c8ad6c6b37bc88a944a968e35649d766

RedLineStealer

f13627e2828eca6397c7dc7af40f006250e7583857e909615aad94b340bcb30e

RedLineStealer

ff6299f111f535583b9cc7ae47657986e2a8cce1eade0adfb4443aceeca44693

RedLineStealer

+ 32 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/210509-rtrda2t5jn/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Deletes itself

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

cea8040fd37819043771a74bfb0340e6486cf955c26d1cd61c33b124a5058c75

MD5 hash:

39562a3e77c5820d21be31bfe0cbf4e2

SHA1 hash:

adff9066a181a93d6e058a9f0f5eb0b8ec2b9478

Link:

https://www.unpac.me/results/bf19e314-d719-467e-bc1e-10bb0afd5798/

SH256 hash:

5a92c5aab95e4927d15b02c7d60e0fbe5421059f8ab8ebd48b67576252e692c0

MD5 hash:

e057441471a377e014a3c62b9ca58ee3

SHA1 hash:

102e6cf22251581b7a7c763f0f493dfb5a517957

Link:

https://www.unpac.me/results/bf19e314-d719-467e-bc1e-10bb0afd5798/

SH256 hash:

9cc5b0fd79e8aa94ce95bd47d074b18583b0690881d742841848aff2865f3714

MD5 hash:

23ade93958819f56138c24e5544c68be

SHA1 hash:

3c20b6064a0b790964b09288da59e04908aa8b64

Link:

https://www.unpac.me/results/bf19e314-d719-467e-bc1e-10bb0afd5798/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9cc5b0fd79e8aa94ce95bd47d074b18583b0690881d742841848aff2865f3714

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/153604/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample