MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a16624be76f60cf8925dce62033c0935da75d60462d3f51cba66c06684f6146a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a16624be76f60cf8925dce62033c0935da75d60462d3f51cba66c06684f6146a
SHA3-384 hash: b39bb2936fb72549ca3659667b69151728e63ea703d4e99bbdf5f4fac7afb115471eb7766f5396cbb79f002cd36ef7ab
SHA1 hash: cf07352135747e3a93e7a0c36d86695c633a6a14
MD5 hash: 45068f907806b9146f9f4733a5d4c8d9
humanhash: cold-hydrogen-charlie-lamp
File name:lH1IQ4QOaUfvtva.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:679'936 bytes
First seen:2021-05-11 06:42:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:9qSyiP6Odm/s0DXJ4q5tREU9Ac1ELImibEqk3gB/3BbHXI42TbcP+Vg:M/s6J40tREUJOwbENY/BboHcP+V
Threatray 17 similar samples on MalwareBazaar
TLSH 72E4220332E88B14C0BA17B451A3661847F19A2B9355E35E3F8829ED5DF77F582C2BD2
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154827/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Connection attempt
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/778841
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a16624be76f60cf8925dce62033c0935da75d60462d3f51cba66c06684f6146a/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 06:43:23 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uftcjptw6ygpres5zzragpajgxnhlvqemlj7khf2m3agnbhwcrva._file
Verdict:
unknown
Similar samples:
12e9811c0f147a84152e2f39b93f0113ada404ba385277ca067ee028e7105c59
RedLineStealer
202a874c92cd603d7743eec18025972cde4f15ac56792856a77d6f9e27b96ec9
RedLineStealer
2bc34cf2725ceb0a4b515b050e12ac17fdc20e8605fcd602f766397a4ead7f47
RedLineStealer
84aff154ff6475dfe98c65e5650ed5e63a219d4af2c0cad67daae9d4ad014878
RedLineStealer
8a4fc07c7377e29d097d88f0d2128233e2179f65638a9650f320e7601b205c6a
RedLineStealer
ad955529bf96483828333f5a0b6c69d1bdacc0798123470d8de0875c75b9010d
RedLineStealer
d6adc5fd4e50b6a75c1d1e2ad96c279c2ac31472eca3c0325ae6f83852440333
RedLineStealer
db683fe0365a4a2ed316ea5944cd1cdd05a398d65e0caaead565dec941d54f71
RedLineStealer
dd8cb0b0a45253ca00dff802d1505f6225b5bd54c742c12c0ab30aa5b3ee7c21
RedLineStealer
de0b80f33037ee2253015508b278b103356b4ca38df599ecb1c91fa1403211c2
RedLineStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210511-akcmrxeq6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/a16624be76f60cf8925dce62033c0935da75d60462d3f51cba66c06684f6146a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154827/

Comments