MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acb5fd38a1242912e31423cb90abddbd78cb39ed19efe4768b70af99092f1328. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acb5fd38a1242912e31423cb90abddbd78cb39ed19efe4768b70af99092f1328
SHA3-384 hash: 4b4a99ae7e89515ed1649e0b467f4e4cc760241fc49ee733576dd0252bd4a6175e2c9caf7c9e25b6a3c83be5352e724a
SHA1 hash: d06b863f439c03c20f3600222196cb2465696b21
MD5 hash: d2e78f6663b47a7ec04a4d014cab5ff1
humanhash: illinois-fillet-alaska-spaghetti
File name:d2e78f6663b47a7ec04a4d014cab5ff1
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:834'560 bytes
First seen:2022-12-21 01:12:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 12288:6gy90wnQoGlU9coZ7u0pkk8oiezBswA3ptpsVjCk/TG:5y9pWU9j7u0+3Its73zpshCk/a
Threatray 261 similar samples on MalwareBazaar
TLSH T12B05122272E19192E5BA67709DF7028716317CD6AB35CBEF2391D11D0E237D46A32387
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d2e78f6663b47a7ec04a4d014cab5ff1
Verdict:
Malicious activity
Analysis date:
2022-12-21 01:13:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73918c8d-7e10-427b-b444-04806358e58c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348568/
Detection(s):
Txt.File.EXEinPEM-7099209-0
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.decompression.bomb.29185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
advpack.dll certutil.exe packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63a25da0d6459c0de11ed14d/reports/4d6688cb-5d76-4776-9caf-0ec828fcb2e2/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a24879f6-cf85-4208-b1a8-cb2425add33d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1138338
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Registers a new ROOT certificate
Uses certutil -decode
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 771068 Sample: VB9IXWSwU3.exe Startdate: 21/12/2022 Architecture: WINDOWS Score: 64 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 7 VB9IXWSwU3.exe 1 4 2->7         started        11 rundll32.exe 2->11         started        process3 file4 18 C:\Users\user\AppData\Local\...\certutil.exe, PE32+ 7->18 dropped 24 Uses certutil -decode 7->24 13 certutil.exe 3 1 7->13         started        signatures5 process6 signatures7 26 Registers a new ROOT certificate 13->26 16 conhost.exe 13->16         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acb5fd38a1242912e31423cb90abddbd78cb39ed19efe4768b70af99092f1328/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-21 01:13:08 UTC
File Type:
PE+ (Exe)
Extracted files:
48
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vs272ofbequrfyyuepfzbk65xv4mwopndhx6i5ulocxzscjpcmua._file
Verdict:
unknown
Similar samples:
1800a59347a0968cadae0d92bb90c8b0ea3ece7d29b519ef950c5e3c483b85b8
RedLineStealer
3c4448ece87d915a3be7c71f4f6c99828849ae0aae5f26a3eb46ca5bd7dc7171
RedLineStealer
65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3
RedLineStealer
81030aadc3f378dde4902c73470dc954995589ff41b956db797d64c009857aa6
RedLineStealer
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
RedLineStealer
8f4ccb41b24de4d077f55f9f33455424bafa4f7546bc4f55efb77c94f9877170
RedLineStealer
94c64f12afd02a13f709021efe6a3676f92ee6ea68ea91b67e476ba603c0b79b
RedLineStealer
d313b8135e205855351aaac9bbf73299973bb82caa43ab9862838d07926bf740
RedLineStealer
f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023
RedLineStealer
f5aae19b73a4833e19ccff1b95dafa7b0c31a1def9bbaa5480593af68b2f4c85
RedLineStealer
+ 251 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221221-bk3v1see5z/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
acb5fd38a1242912e31423cb90abddbd78cb39ed19efe4768b70af99092f1328
MD5 hash:
d2e78f6663b47a7ec04a4d014cab5ff1
SHA1 hash:
d06b863f439c03c20f3600222196cb2465696b21
Link:
https://www.unpac.me/results/47563803-f04e-4550-885c-fa06a29e8be7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acb5fd38a1242912e31423cb90abddbd78cb39ed19efe4768b70af99092f1328

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe acb5fd38a1242912e31423cb90abddbd78cb39ed19efe4768b70af99092f1328

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2477764/
Cape
Cape
https://www.capesandbox.com/analysis/348568/

Comments


Avatar
zbet commented on 2022-12-21 01:12:20 UTC

url : hxxp://37.77.239.239:8752/krnl_connect.exe