MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acc92fd3a929ed4c52b41547b60563cd68b73701998071c3653424df8f51a474. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acc92fd3a929ed4c52b41547b60563cd68b73701998071c3653424df8f51a474
SHA3-384 hash: 299c2e7d894263d2036a391876dc7b4da9ca85a9f997eefff430a6d8c26f0a5e68d50a82c58f2e96e91888792106b674
SHA1 hash: 5cf31cd0c330ff5a99dcf5a13c5462c4f605ff31
MD5 hash: 1b571531b0942e6e008cb5126f3c8d86
humanhash: red-oven-fanta-one
File name:HSBC payment advice EGHKEB0C01725410-T15.pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:879'616 bytes
First seen:2021-06-15 13:57:12 UTC
Last seen:2021-06-15 14:53:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:fpPc90u7XvFmW9fkN++Ni7BuEY75TlXmzMeX9ty+osmMjDxTxLh256pvquwaHpYi:fYo58zMHsmSDxTxhk2quPHpYaac
Threatray 311 similar samples on MalwareBazaar
TLSH EB15BE522EA8AB99F4F95B70BDF0831603FB7D127B23D7D95E8471C92867E808765302
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HSBC payment advice EGHKEB0C01725410-T15.pdf.exe
Verdict:
No threats detected
Analysis date:
2021-06-15 14:01:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/68874013-3ac7-4a3d-b9a0-4e2205f4c294

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis1B571531B094.19749.15415.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46019a45-69df-4610-89e8-a05fc6224aaa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/802472
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to evade analysis by execution special instruction which cause usermode exception
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acc92fd3a929ed4c52b41547b60563cd68b73701998071c3653424df8f51a474/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 13:02:37 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtes7u5jfhwuyuvucvd3mbldzvulonybtgahdq3fgqsn7d2rur2a._file
Verdict:
unknown
Similar samples:
058d5fa44050ac0a0544a77a57785ea08fa963b205a0cd9fae4538f8f4cc0ae5
RedLineStealer
2e826b4ff8b272db629c4983e9edd53656cc4a2e9d24178ebd2b6a8890d1e864
RedLineStealer
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
RedLineStealer
31f7d71ca24fbde43953ebf5e0518c065b795cef8e7b021ca7fbf31a06ce9348
RedLineStealer
6bc296fc9ae6bdb27ca23398f69bfb7b44d69734ff0e03a3322fdf688117e2f5
RedLineStealer
8bf0629c5fa2fc821172ac5131d559debbffd89ed9cdcaa2e3963dbb67d2f734
RedLineStealer
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
RedLineStealer
c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872
RedLineStealer
cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069
RedLineStealer
f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147
RedLineStealer
+ 301 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210615-ww4nyqz7c6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
82fe42ffa7c2160c4ba79b666ba52f6dce210e0be5cbbb1419ddf3058215568b
MD5 hash:
a7c717e07a9e8fc3408914687859cf8a
SHA1 hash:
862f0e3f4f99c7674a540327ba08792e8a6cf5a1
Link:
https://www.unpac.me/results/fbe816d9-3f83-4786-975d-700e3f33cf0e/
SH256 hash:
acc92fd3a929ed4c52b41547b60563cd68b73701998071c3653424df8f51a474
MD5 hash:
1b571531b0942e6e008cb5126f3c8d86
SHA1 hash:
5cf31cd0c330ff5a99dcf5a13c5462c4f605ff31
Link:
https://www.unpac.me/results/fbe816d9-3f83-4786-975d-700e3f33cf0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/acc92fd3a929ed4c52b41547b60563cd68b73701998071c3653424df8f51a474

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe acc92fd3a929ed4c52b41547b60563cd68b73701998071c3653424df8f51a474

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments