MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af8d6e1cfb2a74d49ad657aeec6e68a8ef37c7a59ec0c73c892c33e521f4fb0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af8d6e1cfb2a74d49ad657aeec6e68a8ef37c7a59ec0c73c892c33e521f4fb0c
SHA3-384 hash: 7abf711a2e654ffbf6f4fd2c5da8c96ce36dc69d2ae4ffbe0b94c298aa33c6b65821dde9f22fd241c777c0f72b2ed50d
SHA1 hash: 396d79d0729cb241605f84701fce56dc59f08d87
MD5 hash: 487f37fd296c376c035bea726aa13b51
humanhash: carolina-winter-carbon-fruit
File name:487f37fd296c376c035bea726aa13b51.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:23'392 bytes
First seen:2021-06-22 14:42:09 UTC
Last seen:2021-06-22 16:01:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:MPfBR8ODn9maJl59gLjz18LlBCdw2fEEdHB9o9cnrQhO:MP55DnnJfWn1NdzfnBBaanrQhO
Threatray 321 similar samples on MalwareBazaar
TLSH 0DB24C46BBC80D52E47F3A7F70B11A253376BED06A46DA1F7F9CA1625C02B8A163C51C
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
487f37fd296c376c035bea726aa13b51.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 15:06:59 UTC
Tags:
trojan loader
Link:
https://app.any.run/tasks/5e64464f-443a-4cce-92f9-3f5a5a7787d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167624/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.1306.19388.9950.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ecd6da5-e759-459b-a091-9d43dabe9a82
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806061
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell adding suspicious path to exclusion list
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438472 Sample: DLJxQ5rIop.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 56 adda.net.in 2->56 68 Multi AV Scanner detection for domain / URL 2->68 70 System process connects to network (likely due to code injection or exploit) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 3 other signatures 2->74 8 DLJxQ5rIop.exe 24 18 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 62 apdocroto.gq 104.21.14.60, 49717, 49724, 49727 CLOUDFLARENETUS United States 8->62 48 C:\Users\user\...\13e29mc72e13HMvbb0bd9.exe, PE32 8->48 dropped 50 C:\Program Files\Common Files\...\svchost.exe, PE32 8->50 dropped 52 C:\Users\user\AppData\...\ni22cyet.newcfg, XML 8->52 dropped 54 3 other files (2 malicious) 8->54 dropped 82 Drops PE files to the startup folder 8->82 84 Adds a directory exclusion to Windows Defender 8->84 86 Hides threads from debuggers 8->86 92 2 other signatures 8->92 19 DLJxQ5rIop.exe 8->19         started        24 powershell.exe 8->24         started        26 13e29mc72e13HMvbb0bd9.exe 8->26         started        32 10 other processes 8->32 88 System process connects to network (likely due to code injection or exploit) 13->88 28 WerFault.exe 15->28         started        30 WerFault.exe 15->30         started        64 127.0.0.1 unknown unknown 17->64 66 192.168.2.1 unknown unknown 17->66 90 Changes security center settings (notifications, updates, antivirus, firewall) 17->90 file6 signatures7 process8 dnsIp9 58 adda.net.in 103.20.214.241, 49729, 49748, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 19->58 44 C:\Users\user\AppData\...\DLJxQ5rIop.exe.log, ASCII 19->44 dropped 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->76 78 Query firmware table information (likely to detect VMs) 24->78 34 conhost.exe 24->34         started        60 apdocroto.gq 26->60 80 Tries to evade analysis by execution special instruction which cause usermode exception 28->80 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 32->46 dropped 36 AdvancedRun.exe 32->36         started        38 conhost.exe 32->38         started        40 conhost.exe 32->40         started        42 7 other processes 32->42 file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af8d6e1cfb2a74d49ad657aeec6e68a8ef37c7a59ec0c73c892c33e521f4fb0c/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 14:43:07 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
4570649013c21a25f6e926d8e0b37fadd0120425b3e0215a69dd9e00fa358f8a
RedLineStealer
520fae27134b14bb92d3858083c08496cee8b1c7631f0a374c5e168adfa799f2
RedLineStealer
869147dc42f117713c1b9070d615deda8ff7d7baf8c5baea4ccee3c21829fa96
RedLineStealer
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
RedLineStealer
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
RedLineStealer
bcdd81a6d0deebe09f613e09664008c1b16785091595590ad803d8822f5207f2
RedLineStealer
c52ddeac61f16fb23ff925617fba081392b7aabe47c82c765513755d38e62cde
RedLineStealer
ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c
RedLineStealer
d89c68b81a492812f334c6485f8867419efb302da480f13d56ce1e9801c20096
RedLineStealer
fd80116dffb4a52d6a31d33d06f3ff943c38f6ada8fd3d9e9ffaeb0422a010a9
RedLineStealer
+ 311 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210622-v3l59y9q22/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
af8d6e1cfb2a74d49ad657aeec6e68a8ef37c7a59ec0c73c892c33e521f4fb0c
MD5 hash:
487f37fd296c376c035bea726aa13b51
SHA1 hash:
396d79d0729cb241605f84701fce56dc59f08d87
Link:
https://www.unpac.me/results/44c9946c-a8ad-4e5d-8ea5-b98e5c316ca9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/af8d6e1cfb2a74d49ad657aeec6e68a8ef37c7a59ec0c73c892c33e521f4fb0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe af8d6e1cfb2a74d49ad657aeec6e68a8ef37c7a59ec0c73c892c33e521f4fb0c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1380415/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167624/

Comments