MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1a1e3ba5fd634d39e65b483e27accb1280b4716072efc8e91ba5f441e227b9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	a1a1e3ba5fd634d39e65b483e27accb1280b4716072efc8e91ba5f441e227b9c
SHA3-384 hash:	1e554627b2016b0d7abd6e9edf6b4e30ec097213cbe66ba19e073e3c68079b25c58208d6fa2dad463f11924eff4dc5fa
SHA1 hash:	ae55b27fbc4f03d378e0615e94748ea9bfe427a2
MD5 hash:	21971ced8c7da82ab2cc24cc2e20beac
humanhash:	earth-cold-cold-venus
File name:	21971ced8c7da82ab2cc24cc2e20beac.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'210'304 bytes
First seen:	2022-11-29 07:06:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	49152:ZprnFAPNTAD+v7Jj+HvjFw3RxQ2eHu+pEtofqmumxEyzQc:TiTAo7Sqhx/X8EtozM
Threatray	106 similar samples on MalwareBazaar
TLSH	T164A53309D7BE5977D5B413714EF612930A35BCBA2C34432A3A06A41A99B3BDC807A7D3
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

1

# of downloads :

163

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

21971ced8c7da82ab2cc24cc2e20beac.exe

Verdict:

Malicious activity

Analysis date:

2022-11-29 07:07:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0220acd5-5942-4928-8649-19bf10e3d98b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/339639/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a process with a hidden window

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Sending a UDP request

Creating a file in the %temp% subdirectories

Running batch commands

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack.dll anti-vm cmd.exe packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/6385af96090ea3f04934d294/reports/74635c0a-833c-4eca-b4b3-00b6eb6dafc2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2dd236eb-6a1f-455f-9f77-fc8acecb9845

Result

Threat name:

Unknown

Detection:

clean

Classification:

evad

Score:

13 / 100

Link:

https://www.joesandbox.com/analysis/1123093

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1a1e3ba5fd634d39e65b483e27accb1280b4716072efc8e91ba5f441e227b9c/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ugq6hos72y2nhhtfwsb6e6wmweuawrywa4xpzdurxjpuihrcpooa._file

Verdict:

unknown

Similar samples:

4e5006410923fe02f63bb2f3104dcae4f1aae22fbfd2f13a5ef351d61c3e4fb6

5235b4f3619c2a7c56d7ca2a22da5f0f07ce7b022fb8d8ad1b2c0c352d0cc122

97817a9421058db2e7cc334fe168079e288088bf27a20e8d4421b6aaf0598bc1

a17e38eb9cf906557d7e718135d95bb3d7683ddd40093c10b91414e0c84cbb1b

a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103

aae2c924a51f3b520477cd8fd45271c38f8a0dd334ffd813d187e3b6b517c458

bc18e4cbdd507f6bfabd5b73513ad430951544efe453a7516bebcbdefb6e9eb5

d4aa4e2919521f861933491197e59c37a9a574480f8b83f7a1fa82ddae3ca2b7

e913efef17e825fea233b2718e80eeb7964ffc0abf8b6732bec99685474fc9c0

f79c5f68c9c4c758e5ae08d72ef34e0ae8f0875b54c05e4db396ee09b41e67f0

+ 96 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/221129-hxneesfg52/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

c185f7e6bcad208de670fbcccc9968d99d3a707bedcff65ec67fc257820fcfc7

MD5 hash:

bf4dbc40f95107ffb8332a8d783c2a0f

SHA1 hash:

51ca5f4322716ccb790e836c6bf8ae68dcb91f76

Link:

https://www.unpac.me/results/a0a6be35-0d94-4911-9cc2-6e175a1a3cdb/

SH256 hash:

a1a1e3ba5fd634d39e65b483e27accb1280b4716072efc8e91ba5f441e227b9c

MD5 hash:

21971ced8c7da82ab2cc24cc2e20beac

SHA1 hash:

ae55b27fbc4f03d378e0615e94748ea9bfe427a2

Link:

https://www.unpac.me/results/a0a6be35-0d94-4911-9cc2-6e175a1a3cdb/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a1a1e3ba5fd6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a1a1e3ba5fd634d39e65b483e27accb1280b4716072efc8e91ba5f441e227b9c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/339639/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample