MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a560f203c2e625c24ca5d86ab7b4fe90b6eebc96b6666eeab6231c6a55cca5db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	a560f203c2e625c24ca5d86ab7b4fe90b6eebc96b6666eeab6231c6a55cca5db
SHA3-384 hash:	becf70471297fa1bcb90efc90d5c013ba478b10912722dfce84864a1f6b5503db85fa06eef13f7b64f4a4db379e64988
SHA1 hash:	17a47ad1417f26dc564261c1a46c6f09fd1d9cb2
MD5 hash:	cf32dcf004f18edc2d2e633821acb549
humanhash:	winter-early-chicken-alpha
File name:	SN212110200003　出口　C9　UPS提單1Z82342X0428805006(82342XCDX7K)_pdf .exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	765'440 bytes
First seen:	2022-10-24 06:41:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b6ef2d2e7423032e0ad980d94767f061 (2 x ModiLoader, 1 x RedLineStealer, 1 x BitRAT)
ssdeep	12288:QFwXm1eLcZbP9mpAmFXZ5e0mvXTeYZITtsUXIvxwUxLfHazzJr0:QFGQeabFmKmFzhmvJWurPB
Threatray	1'225 similar samples on MalwareBazaar
TLSH	T14CF47CD36BA84432F52378369A1796BE78677C10356C9C472ACCF949CE37672E4281E3
TrID	26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 24.5% (.SCR) Windows screen saver (13101/52/3) 19.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win32 Executable (generic) (4505/5/1) 5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	ecf48696cec4d4d4 (2 x ModiLoader, 1 x RedLineStealer, 1 x BitRAT)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SN212110200003　出口　C9　UPS提單1Z82342X0428805006(82342XCDX7K)_pdf .exe

Verdict:

Suspicious activity

Analysis date:

2022-10-24 06:47:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d97b6cf7-a473-41cf-8c4f-2a16d7928646

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/323221/

Detection(s):

PUA.Win.Packer.BorlandDelphi-15

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ef903ff-6843-4094-8c5f-a82eb1692bce

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1096435

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a560f203c2e625c24ca5d86ab7b4fe90b6eebc96b6666eeab6231c6a55cca5db/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-10-24 01:52:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uvqpea6c4ys4etff3bvlpnh6sc3o5pewwztg52vwemoguvomuxnq._file

Verdict:

malicious

RedLineStealer

644903e3c3b1abff0f405b7e9f8f7a94782fa8b3624912cb33255407e849eadb

RedLineStealer

6a32e223e2cb89976bf1d24cd60a33b567d35c01fddacc618998fb40125852d5

RedLineStealer

a1668f4b671e72fda01c78b60d66c9fe626e4c40d89bb49581764b0dd516200c

RedLineStealer

e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5

RedLineStealer

e57273b7f448b8713bd164d86bfd24a01570a4f5902e09fd07d6df7088458cd1

RedLineStealer

ffb0bd5cf5a1716fa50f01a4b4fd98d396842c7c263d3ce03623748430b30a93

RedLineStealer

+ 1'215 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader trojan

Link:

https://tria.ge/reports/221024-hgb2fsehg2/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

ModiLoader Second Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

acc3c54c288b266b3b00991c56478ed664f87a2e9f468a45d79598f3d64ff090

MD5 hash:

02ba7295f06aa21f663737992ccd936a

SHA1 hash:

f961dd0202403297ee21706621d9eb12008a0aae

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/6f1e3018-0511-4f12-9059-b3ab6fea82bb/

Parent samples :

a560f203c2e625c24ca5d86ab7b4fe90b6eebc96b6666eeab6231c6a55cca5db
ded8e87375feb200ce4b5d054d0ae8d3db28588a66071e2ef68dc3eb9fc9b084
6894716ecdc2dc8c9df8522345f04945c0d90df9c2b5426c72fb4eee7d809c79
f9ab7834504060f9878b94cc16de22ed004796b09a78ae8ad1e31e2eb7114162
e09a767ad0a00ade6074dcc43b64010206220db79086c3bf9a7330ce1b603cc6
2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424
8ea72282f7dfbac5825559640cded147ed27ed8f67063dd3ecddc539d6072a69
dcac7c0a08250b164343c102ef9d863a49c44343c6ce3e0cd1197cb7e3198937
974a92131810231c385981b681b315574a91a64ce6fba594e060c8645ae9d74e
6e9fc38aae3c403eb2a1664292b2bacc85721410b2568cfa36a1d00fc9b4d05c

SH256 hash:

a560f203c2e625c24ca5d86ab7b4fe90b6eebc96b6666eeab6231c6a55cca5db

MD5 hash:

cf32dcf004f18edc2d2e633821acb549

SHA1 hash:

17a47ad1417f26dc564261c1a46c6f09fd1d9cb2

Link:

https://www.unpac.me/results/6f1e3018-0511-4f12-9059-b3ab6fea82bb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a560f203c2e625c24ca5d86ab7b4fe90b6eebc96b6666eeab6231c6a55cca5db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/323221/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample