MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae3f08ee06ddd2f9080d22a345aa9a5862b64f9a90001244b035ceac8b54dc24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae3f08ee06ddd2f9080d22a345aa9a5862b64f9a90001244b035ceac8b54dc24
SHA3-384 hash: 091e6d3d2bb6f11f1e070005c18e9b19af11a7a4939e5115a4435e9654e6ef9a61e1da163fbbaa06bb185547661d3ca2
SHA1 hash: a92b7ccda86582fa2a424ae3a44b1b3903416462
MD5 hash: 53ade737fe31d314f8dea5ea5068b31d
humanhash: may-oven-sink-saturn
File name:53ade737fe31d314f8dea5ea5068b31d
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:41'984 bytes
First seen:2021-09-11 21:14:29 UTC
Last seen:2021-09-11 22:20:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:QVYOo2BHW+AJJIsXMx32DCTA9QPbxFQl+DCUGU/7i4J7:s2hJTXMolSbxo4uEnJ7
Threatray 21 similar samples on MalwareBazaar
TLSH T14513508C765072DFC85BC876DEA82C64EA607477931BC243E45316AD9A0DA8BCF151F3
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187105/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46930554.21044.4985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6085e422-abc7-45ad-b965-9c7be0d271fe
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849278
Signature
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481708 Sample: ocHB4ECVS2 Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 77 Sigma detected: Powershell download and execute file 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 3 other signatures 2->83 10 ocHB4ECVS2.exe 2 2->10         started        14 service.exe 2->14         started        16 service.exe 2->16         started        18 service.exe 2->18         started        process3 file4 67 C:\Users\user\AppData\...\ocHB4ECVS2.exe.log, ASCII 10->67 dropped 93 Adds a directory exclusion to Windows Defender 10->93 20 cmd.exe 1 10->20         started        95 Multi AV Scanner detection for dropped file 14->95 23 cmd.exe 14->23         started        69 C:\Windows\SysWOW64\TEMP\service.exe (copy), PE32 16->69 dropped 25 cmd.exe 16->25         started        27 cmd.exe 18->27         started        signatures5 process6 signatures7 85 Suspicious powershell command line found 20->85 87 Tries to download and execute files (via powershell) 20->87 89 Adds a directory exclusion to Windows Defender 20->89 29 powershell.exe 20->29         started        31 powershell.exe 23 20->31         started        34 powershell.exe 20->34         started        46 4 other processes 20->46 38 conhost.exe 23->38         started        40 schtasks.exe 23->40         started        42 conhost.exe 27->42         started        44 schtasks.exe 27->44         started        process8 dnsIp9 48 RuntimeBroker.exe 29->48         started        97 Drops PE files to the user root directory 31->97 99 Powershell drops PE file 31->99 71 192.168.2.1 unknown unknown 34->71 65 C:\Users\user\RuntimeBroker.exe, PE32 34->65 dropped 73 dl.uploadgram.me 176.9.247.226, 443, 49735, 49737 HETZNER-ASDE Germany 46->73 52 conhost.exe 46->52         started        54 schtasks.exe 46->54         started        file10 signatures11 process12 file13 63 C:\Users\user\AppData\Local\...\service.exe, PE32 48->63 dropped 75 Multi AV Scanner detection for dropped file 48->75 56 cmd.exe 48->56         started        signatures14 process15 signatures16 91 Uses schtasks.exe or at.exe to add and modify task schedules 56->91 59 conhost.exe 56->59         started        61 schtasks.exe 56->61         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae3f08ee06ddd2f9080d22a345aa9a5862b64f9a90001244b035ceac8b54dc24/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 07:09:00 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10a5bbeeb39216bde492a246b1b003bcb2d7c0895dea287b5f8ad4f3428ef3cc
RedLineStealer
3afb9fbf6ecd6ace47153db07ab803b9d878ca0331d2ef80ce91294e3031278e
RedLineStealer
3b17e1d94b70f6d8fc6b56071259a9affacc235a92d7a772b27ddd0c01783d4a
RedLineStealer
3b7d5786e440b36bd5a12e1293465683353c7dd3b843eef7a0313b7a0245ccc2
RedLineStealer
409f15acc9e425d5f0cd8f1c6820b44067b5628c60a3a58114db3abf1196215b
RedLineStealer
bb56b47dae434fc40a2c391c1901232bb2d43c90dfca1c282667f954fdc3da92
RedLineStealer
be97f2438f11faa0b836f9e01570d20e1e21c981c858a6bc8e144d6ced8c4157
RedLineStealer
db1d1d237d2c8cd79f1b82eaf0d773ee15f8a5234a3c2bfb89a6b10c95d3825b
RedLineStealer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210911-z3wresbgd5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Downloads MZ/PE file
Executes dropped EXE
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://dl.uploadgram.me/613483c36d110h?raw
https://dl.uploadgram.me/61335d76e1bc0h?raw
Unpacked files
SH256 hash:
870b07eae342f775586c650e193de6efbe737f84c6846ca997c3921854ab761d
MD5 hash:
452a6643658ad7102e61d139f62a0ce0
SHA1 hash:
dc3ae8e41cf9075143fc74fd9a6e24a764894b4a
Link:
https://www.unpac.me/results/770b6477-83d3-4eb8-b645-eddaaf3862c3/
SH256 hash:
ae3f08ee06ddd2f9080d22a345aa9a5862b64f9a90001244b035ceac8b54dc24
MD5 hash:
53ade737fe31d314f8dea5ea5068b31d
SHA1 hash:
a92b7ccda86582fa2a424ae3a44b1b3903416462
Link:
https://www.unpac.me/results/770b6477-83d3-4eb8-b645-eddaaf3862c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae3f08ee06ddd2f9080d22a345aa9a5862b64f9a90001244b035ceac8b54dc24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ae3f08ee06ddd2f9080d22a345aa9a5862b64f9a90001244b035ceac8b54dc24

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187105/
  
URLhaus
https://urlhaus.abuse.ch/url/1611859/

Comments


Avatar
zbet commented on 2021-09-11 21:14:30 UTC

url : hxxp://pilmmofl.beget.tech/launcher.exe