MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac4c2057efb4137e73e07b5f2706abbec548ba6c526d8fe12645e35c29345ad0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac4c2057efb4137e73e07b5f2706abbec548ba6c526d8fe12645e35c29345ad0
SHA3-384 hash: 32940e16dda1fe42725d4c9b8a9748d70f403f26ae7516c4eb41f2a346bf5c3de9a0b13faa099b95d0608b636600fd90
SHA1 hash: a26b4056669b0866d248e6c5a6a29de4f41314ef
MD5 hash: 8d4f45dd9a5b28f07fd1e3b1067de4b0
humanhash: october-march-artist-football
File name:SecuriteInfo.com.W32.MSIL_Kryptik.EWM.genEldorado.30775.5137
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'399'296 bytes
First seen:2021-07-21 14:05:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:uxKCe/hyO4+ytZAi8VF6/4QxJi8/8rCfbcTzGCEnWI4sgeZerKS:RhByUi8V0/FrkrCfbIdwDt
Threatray 229 similar samples on MalwareBazaar
TLSH T1B155BD75E4058C13CA2F993FC06A9310AFF45D523519CD8A16A7F5EB2E32792284DE8F
dhash icon dcb2b2b2b8e8f4cc (1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.MSIL_Kryptik.EWM.genEldorado.30775.5137
Verdict:
Suspicious activity
Analysis date:
2021-07-21 14:09:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/906ba0ea-6339-4a84-86a5-c63c1b74ec2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173021/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.EWM.genEldorado.30775.5137.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/447373b5-0cf9-4ec3-90b5-46874812c36c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819537
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains VNC / remote desktop functionality (version string found)
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451948 Sample: SecuriteInfo.com.W32.MSIL_K... Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected AntiVM3 2->44 46 .NET source code contains potential unpacker 2->46 48 5 other signatures 2->48 8 SecuriteInfo.com.W32.MSIL_Kryptik.EWM.genEldorado.30775.exe 3 2->8         started        12 236BC027.exe 2 2->12         started        14 236BC027.exe 2 2->14         started        process3 file4 32 SecuriteInfo.com.W...orado.30775.exe.log, ASCII 8->32 dropped 56 Injects a PE file into a foreign processes 8->56 16 SecuriteInfo.com.W32.MSIL_Kryptik.EWM.genEldorado.30775.exe 2 4 8->16         started        20 236BC027.exe 12->20         started        22 236BC027.exe 14->22         started        signatures5 process6 file7 30 C:\ProgramData\...\236BC027.exe, PE32 16->30 dropped 40 Creates autostart registry keys with suspicious names 16->40 24 236BC027.exe 3 16->24         started        signatures8 process9 signatures10 50 Multi AV Scanner detection for dropped file 24->50 52 Machine Learning detection for dropped file 24->52 54 Injects a PE file into a foreign processes 24->54 27 236BC027.exe 6 24->27         started        process11 dnsIp12 34 193.11.164.243, 49736, 9030 SUNETSUNETSwedishUniversityNetworkEU Sweden 27->34 36 154.35.175.225, 49744, 80 RETHEMHOSTINGUS United States 27->36 38 5 other IPs or domains 27->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac4c2057efb4137e73e07b5f2706abbec548ba6c526d8fe12645e35c29345ad0/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 13:46:09 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
19de764d88839844364351c61ef20e0919ed4f23aca6f068e848668a5590f21e
RedLineStealer
531686f56257eafa0da5908fa50d5ef2ef51efee156c1185c212ed0958ee5b59
RedLineStealer
5efb791f669b53a19afa4386c88fab13422b39ea6d85622bda91cb383014f81e
RedLineStealer
759942003ac3b6168f465ce9436abb35a731c4fbfe1f299288dad9861c670cab
RedLineStealer
87fce4a9bf5b5a94b0a722c3061fd931a2fadd301880801b64a1e78d79bb67c5
RedLineStealer
9b04bd08d71680ffce4ea7d51e725a2eaa77f34a6316b9dafa89431cf8477174
RedLineStealer
b6b6aabe3d804e0028a2ee0322750026b260d72ebe460545c636e11501f9790d
RedLineStealer
c144b9c8ba25c23f058ddcae2adb58f474c1e7c660c91d0417d1ec57a8029e8c
RedLineStealer
c882380edc4c5e271f60791a9e1456e9a86b6c89be7b06496d51f7e1858cc2c1
RedLineStealer
cb5d5df92e65ff1479f94d44da362441532b4148d6167ccf1a541e5e04207102
RedLineStealer
+ 219 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210721-s9bv3mrjr6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6e98219f8f1a12d5fa3b57579f5b1c832921ad892d5401d1e4af6a0df7e2c7fb
MD5 hash:
d341374c8da0feae684b7d90c36b1c18
SHA1 hash:
ca67a806a900111bd7bcfb6cc29ab5834cca7d44
Link:
https://www.unpac.me/results/e61bb4d6-c5a2-482d-8737-8e58c134a1e0/
SH256 hash:
b26315c9e0dc48720d8039f580dd4e307374cd7bfd409823d299aea5e7ee98c4
MD5 hash:
f4d476afba40f4d88e131ba09ad60676
SHA1 hash:
ce4fe121ec37bda2b0eadeea0b4e6a755a32fb8f
Link:
https://www.unpac.me/results/e61bb4d6-c5a2-482d-8737-8e58c134a1e0/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/e61bb4d6-c5a2-482d-8737-8e58c134a1e0/
SH256 hash:
ac4c2057efb4137e73e07b5f2706abbec548ba6c526d8fe12645e35c29345ad0
MD5 hash:
8d4f45dd9a5b28f07fd1e3b1067de4b0
SHA1 hash:
a26b4056669b0866d248e6c5a6a29de4f41314ef
Link:
https://www.unpac.me/results/e61bb4d6-c5a2-482d-8737-8e58c134a1e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac4c2057efb4137e73e07b5f2706abbec548ba6c526d8fe12645e35c29345ad0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ac4c2057efb4137e73e07b5f2706abbec548ba6c526d8fe12645e35c29345ad0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1470704/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173021/

Comments