MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4f095207ec063a7952a8ed7e50ecec99fed02495b69fd1a0db6830f9b14255b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4f095207ec063a7952a8ed7e50ecec99fed02495b69fd1a0db6830f9b14255b
SHA3-384 hash: 185334713c733242be0be38e85933bf39600f1bd6078af4eaa0bea27016d0f4ab64b28110ffdab3319a2f98da8b56363
SHA1 hash: 197ec6f8b3071af187669bd9534171e3d721a90d
MD5 hash: 4725f966d9eb8b9e3bab8f8096f9f0e6
humanhash: minnesota-artist-vermont-single
File name:4725f966d9eb8b9e3bab8f8096f9f0e6
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:36'016 bytes
First seen:2021-06-19 20:46:46 UTC
Last seen:2021-06-19 21:36:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 768:mdZCWiar8Vj8093ok0Z6DKTlpGd4rqalCuUhm:SJ8d80941Ueh0d4rVlCg
Threatray 7 similar samples on MalwareBazaar
TLSH EDF218971064B124E2E30A341D52ED743B28DB705984E10EE561915CCF83BF7B9EDADE
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:b6zNt9fCcH07f
Issuer:b6zNt9fCcH07f
Algorithm:sha256WithRSAEncryption
Valid from:2021-06-18T10:56:03Z
Valid to:2022-06-18T10:56:03Z
Serial number: 02657e1397163979cf463e2f315b973f
Thumbprint Algorithm:SHA256
Thumbprint: 566d91434df13e182365e55a8a42d4bcc1af2bfa3aef80cae76b196918683615
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4725f966d9eb8b9e3bab8f8096f9f0e6
Verdict:
Malicious activity
Analysis date:
2021-06-19 20:49:52 UTC
Tags:
trojan loader
Link:
https://app.any.run/tasks/485caa96-7ed2-4e35-9ea4-5874e7cc7a8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167073/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.59276.30770.16934.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96705e3e-4f3e-4e99-ba66-c520215eff06
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
0 / 100
Link:
https://www.joesandbox.com/analysis/804774
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4f095207ec063a7952a8ed7e50ecec99fed02495b69fd1a0db6830f9b14255b/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 12:58:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
4ee91a96f4f8219145c883b6e785869dcec4a22bc98e9c95a8472fbfa2c63148
RedLineStealer
562d9a4326e09ecb7f988355d1d56c39d025f292c3d3e8a5e319a3ff2c44866d
RedLineStealer
5ee4366770f9c55363d7b854f2208e451935789039ad936778bdc25c16deeb44
RedLineStealer
6721200d1e880c83cf3c4ee07db918abca886251cd59a10c10b515eaf026bbbc
RedLineStealer
a276b0d2aaf8a132ffbe9ae16763975bcf38fc1e5a6419890712fc3de02b793f
RedLineStealer
d01b3522dd2a17cd248709a670e7da25be8ab17565848e76b1087d1d1e11fe33
RedLineStealer
fd81af867988782d16df1b79f602163f297ebb1631f4d1542c4828d0fb5a7900
RedLineStealer
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210619-vrdykh89fj/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Windows security bypass
Unpacked files
SH256 hash:
b4f095207ec063a7952a8ed7e50ecec99fed02495b69fd1a0db6830f9b14255b
MD5 hash:
4725f966d9eb8b9e3bab8f8096f9f0e6
SHA1 hash:
197ec6f8b3071af187669bd9534171e3d721a90d
Link:
https://www.unpac.me/results/88aadf32-2193-48fb-85fc-6057a424a110/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b4f095207ec063a7952a8ed7e50ecec99fed02495b69fd1a0db6830f9b14255b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b4f095207ec063a7952a8ed7e50ecec99fed02495b69fd1a0db6830f9b14255b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1380415/
Cape
Cape
https://www.capesandbox.com/analysis/167073/

Comments