MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b64c57f3f83e58764714885b3a0e16a543cfff24ae800ff5dd2540f92b4d46f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b64c57f3f83e58764714885b3a0e16a543cfff24ae800ff5dd2540f92b4d46f4
SHA3-384 hash: f3aeea43aeb567074ccbdc3c6465e067064270d0e3c32ae783b03654dd19c33c9e89f4e7d0df7c5a3c67dc24af5450ea
SHA1 hash: 7b2fe83d1d6aa8282dd4a5d2cf3259fe6f17e3f9
MD5 hash: 1cc529e64644ca9ee235b0352070b5c9
humanhash: queen-april-march-muppet
File name:1cc529e64644ca9ee235b0352070b5c9
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'073'536 bytes
First seen:2022-09-22 15:45:13 UTC
Last seen:2022-09-22 18:02:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep 49152:hJ4aWLj267nCMfLMumI0NzzvVYogqBMjO0bvXqDBedNNjTtWOWjEx2DAs5/iPG84:Unj267nCOVmlxRQwev6DGzjTgdwx2DAY
Threatray 333 similar samples on MalwareBazaar
TLSH T18CE53321ABE660DBEC7373F548F307A7E831B9644779961E233284591DA32A57B78303
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1cc529e64644ca9ee235b0352070b5c9
Verdict:
No threats detected
Analysis date:
2022-09-22 15:45:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea7c68ea-7421-4a30-8aba-46eeab3dde0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312399/
Detection(s):
SecuriteInfo.com.TrojanDropper.Win32.Dapato.BH.MTB.25876.2100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file
Creating a window
Searching for the window
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38492/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
advpack.dll packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/632c838139767769653ccab3/reports/ebc16b1f-8135-4c9a-962b-3401a19a104e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f62e94f4-4c04-45f1-9d44-efae3641d591
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1075436
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 707978 Sample: 4m4yc8lii5.exe Startdate: 22/09/2022 Architecture: WINDOWS Score: 88 37 Multi AV Scanner detection for domain / URL 2->37 39 Antivirus detection for dropped file 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 3 other signatures 2->43 8 4m4yc8lii5.exe 1 3 2->8         started        11 rundll32.exe 2->11         started        process3 file4 29 C:\Users\user\AppData\Local\...\uproject.exe, PE32 8->29 dropped 13 uproject.exe 2 8->13         started        17 powershell.exe 14 16 8->17         started        process5 dnsIp6 31 C:\Users\user\AppData\Local\...\project1.exe, PE32 13->31 dropped 45 Antivirus detection for dropped file 13->45 47 Multi AV Scanner detection for dropped file 13->47 20 project1.exe 3 14 13->20         started        33 sheet.duckdns.org 159.223.57.212, 49703, 9000 CELANESE-US United States 17->33 35 192.168.2.1 unknown unknown 17->35 23 conhost.exe 17->23         started        file7 signatures8 process9 file10 27 C:\Users\user\AppData\Local\...\File2.exe, PE32+ 20->27 dropped 25 wscript.exe 20->25         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b64c57f3f83e58764714885b3a0e16a543cfff24ae800ff5dd2540f92b4d46f4/
Threat name:
ByteCode-MSIL.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 15:46:19 UTC
File Type:
PE+ (Exe)
Extracted files:
37
AV detection:
17 of 26 (65.38%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzgfp47yhzmhmryurbntudqwuvb477zev2aa75o5evapsk2ni32a._file
Verdict:
malicious
Similar samples:
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
RedLineStealer
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
RedLineStealer
c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d
RedLineStealer
cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
RedLineStealer
dc3b1cd6cc70e681b959bf718ba3a91ac4d5f6c0dfe49fa6ef0f6a7092a5690d
RedLineStealer
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
RedLineStealer
+ 323 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220922-s7lnpabgh3/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/290bea49-a64b-45a3-8255-fcfb5d7e9126
Unpacked files
SH256 hash:
b64c57f3f83e58764714885b3a0e16a543cfff24ae800ff5dd2540f92b4d46f4
MD5 hash:
1cc529e64644ca9ee235b0352070b5c9
SHA1 hash:
7b2fe83d1d6aa8282dd4a5d2cf3259fe6f17e3f9
Link:
https://www.unpac.me/results/a9604413-bf6b-4940-8579-b1ca0d06b4a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b64c57f3f83e58764714885b3a0e16a543cfff24ae800ff5dd2540f92b4d46f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b64c57f3f83e58764714885b3a0e16a543cfff24ae800ff5dd2540f92b4d46f4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2310050/
Cape
Cape
https://www.capesandbox.com/analysis/312399/

Comments


Avatar
zbet commented on 2022-09-22 15:45:16 UTC

url : hxxp://sheet.duckdns.org:9000/Budgetsheet.exe