MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf6cc7eea43409deca0f85b678181c98c6cb955b73915efb9975b37286a7905f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf6cc7eea43409deca0f85b678181c98c6cb955b73915efb9975b37286a7905f
SHA3-384 hash: 5651bdde9f4fd9fd4c2ce715a6d936efb60c836638a2a91000b886c0f3d4b95cf0f2fae64aece4972717c6c22c6f332e
SHA1 hash: 2c9b9c6585cb135bd18d9cacfbebe3ca73421079
MD5 hash: 2490c7b7b1b804ee81900a495bd6352c
humanhash: rugby-batman-mars-seventeen
File name:bf6cc7eea43409deca0f85b678181c98c6cb955b73915efb9975b37286a7905f
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:175'640 bytes
First seen:2021-09-13 11:18:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:jeJYpgyBRZjqHwdWoY/iXV1cQzCnvqZrXmaN/v:jeagy/ZjkwYoCiXfzpZr2Y
Threatray 159 similar samples on MalwareBazaar
TLSH T199048CA755145462C9481734E471CF3B33799D282950F28AB4CAFEB7BE3A38E4DB4227
dhash icon 007960733684d440 (2 x RedLineStealer)
Reporter JAMESWT_WT
Tags:ElysiumStealer exe RedLineStealer signed Solar LLC

Code Signing Certificate

Organisation:Solar LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-12-17T00:00:00Z
Valid to:2021-12-17T23:59:59Z
Serial number: 6aaa62208a3a78bfac1443007d031e61
Intelligence: 13 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: e0b4e0146cef64385a2635611ccc0d7b3c7f8a126dfedf7f491d677b4a896d65
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bf6cc7eea43409deca0f85b678181c98c6cb955b73915efb9975b37286a7905f
Verdict:
Malicious activity
Analysis date:
2021-09-13 11:21:27 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/71de92f1-f156-4117-a1a1-c9052b92d1ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187433/
Detection(s):
Win.Packed.Bulz-9892765-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/617500b39a5a1e91c5d1fbbb/reports/ec07e055-750c-4b16-8f8e-2f5df4cd9219/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bdc0288-eab8-45f3-8b70-79bb53127f15
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/849710
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf6cc7eea43409deca0f85b678181c98c6cb955b73915efb9975b37286a7905f/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 03:50:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
RedLineStealer
649196028a2da14a49c0e7ac613ddb03e5cc6ab289081ee32d08b192d562859a
RedLineStealer
693e3bf8be7f27a874149f559287d4153502f56d3e09a7303cbd719aa12d3693
RedLineStealer
847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa
RedLineStealer
84b5f43282cdb9d3947e0be64ff3bec298c98b1c35e369a02bf0607a0d7b0de2
RedLineStealer
cd84c2fe9c5f3783d3a6ebdea43e14774975f092ef5242a857b9a4a28e14878a
RedLineStealer
f5aae19b73a4833e19ccff1b95dafa7b0c31a1def9bbaa5480593af68b2f4c85
RedLineStealer
f6aa394f7b0a0f629da6831a1134e4a6cbf21c70dce7f4133319d638d4b58023
RedLineStealer
fa377574c99698cd65d8897d93e96c287dff271d4838107aeac36e7a843c1053
RedLineStealer
fc89316ccd912e374995269d989e0649492e77ed774e5556118289e152479a30
RedLineStealer
+ 149 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210913-net25sded9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
e5b5686994fc8518de926dfc17827b3779b7d2fdd4fc24cc3c4bab8d5481017c
MD5 hash:
7b20e7183a25cd7a2c1d8b38b8fc98b9
SHA1 hash:
b629be77a30cf0dbbb546beac910fa30bc17d5ed
Link:
https://www.unpac.me/results/27a8d0f3-4d89-412f-8630-548b9ebf052d/
SH256 hash:
bf6cc7eea43409deca0f85b678181c98c6cb955b73915efb9975b37286a7905f
MD5 hash:
2490c7b7b1b804ee81900a495bd6352c
SHA1 hash:
2c9b9c6585cb135bd18d9cacfbebe3ca73421079
Link:
https://www.unpac.me/results/27a8d0f3-4d89-412f-8630-548b9ebf052d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bf6cc7eea43409deca0f85b678181c98c6cb955b73915efb9975b37286a7905f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187433/

Comments