MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c48e509f7139d0ee5a09d1807e73783e0948741c6f90f1dbc8096318e7d6dd3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c48e509f7139d0ee5a09d1807e73783e0948741c6f90f1dbc8096318e7d6dd3a
SHA3-384 hash: c0cf1b0a21fe024e8ab4fe12c7a7ec05cbf2cd1fd812b317a4b1643e9e5c54bd63e60a567489e326e638dcad3211ded0
SHA1 hash: 2a091b127b7a0ea335f4423030fedf649027f139
MD5 hash: d350346b22f5c0831723fa5ae916890b
humanhash: whiskey-floor-yankee-juliet
File name:SecuriteInfo.com.Trojan.MulDrop17.50581.24010.2253
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:45'056 bytes
First seen:2021-06-09 14:51:43 UTC
Last seen:2021-06-14 06:16:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:kw2eMe/yb9VA72aUDDxqXpxDu8WQ8iBqsJzS3L:kTeMue9ZxqZ1WQ8F7
Threatray 24 similar samples on MalwareBazaar
TLSH 2E130965579D9C82DA5242B9C4E66B20C6B5933053A3C787370C3E4BBFD0E4B6A06BF4
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
4
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165643/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop17.50581.24010.2253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/799623
Signature
Antivirus / Scanner detection for submitted sample
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432019 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 09/06/2021 Architecture: WINDOWS Score: 80 68 f0398143.xsph.ru 2->68 80 Antivirus / Scanner detection for submitted sample 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Sigma detected: Add file from suspicious location to autostart registry 2->84 10 SecuriteInfo.com.Trojan.MulDrop17.50581.24010.exe 14 5 2->10         started        15 dhost.exe 498 2->15         started        17 dhost.exe 270 2->17         started        signatures3 process4 dnsIp5 72 transfer.sh 144.76.136.153, 443, 49711, 49727 HETZNER-ASDE Germany 10->72 50 C:\Users\user\AppData\Local\Temp\dhost.exe, PE32 10->50 dropped 52 SecuriteInfo.com.T...50581.24010.exe.log, ASCII 10->52 dropped 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->92 19 cmd.exe 1 10->19         started        23 dhost.exe 501 10->23         started        54 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32 15->54 dropped 56 C:\Users\user\AppData\...\win32trace.pyd, PE32 15->56 dropped 64 38 other files (none is malicious) 15->64 dropped 58 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32 17->58 dropped 60 C:\Users\user\AppData\...\win32trace.pyd, PE32 17->60 dropped 62 C:\Users\user\AppData\Local\...\win32gui.pyd, PE32 17->62 dropped 66 37 other files (none is malicious) 17->66 dropped file6 signatures7 process8 dnsIp9 70 1.1.1.1 CLOUDFLARENETUS Australia 19->70 86 Uses ping.exe to sleep 19->86 88 Uses ping.exe to check the status of other devices and networks 19->88 25 conhost.exe 19->25         started        27 PING.EXE 1 19->27         started        29 PING.EXE 1 19->29         started        31 dhost.exe 19 23->31         started        signatures10 process11 dnsIp12 74 f0398143.xsph.ru 141.8.197.42, 49725, 80 SPRINTHOSTRU Russian Federation 31->74 76 104.223.88.100 ASN-QUADRANET-GLOBALUS United States 31->76 78 2 other IPs or domains 31->78 42 C:\Users\user\...\svhost.exepu8e45nn.tmp, PE32 31->42 dropped 44 C:\Users\user\...\svchost.exe4clzyadg.tmp, PE32 31->44 dropped 46 C:\Users\user\...\stepdate.exewnve3sx7.tmp, PE32 31->46 dropped 48 3 other files (none is malicious) 31->48 dropped 35 cmd.exe 1 31->35         started        file13 process14 process15 37 reg.exe 1 1 35->37         started        40 conhost.exe 35->40         started        signatures16 90 Creates autostart registry keys with suspicious names 37->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c48e509f7139d0ee5a09d1807e73783e0948741c6f90f1dbc8096318e7d6dd3a/
Threat name:
ByteCode-MSIL.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 22:56:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yshfbh3rhhio4wqj2gah443yhyeuq5a4n6ipdw6ibfrrrz6w3u5a._file
Verdict:
malicious
Similar samples:
08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
RedLineStealer
1b87f2ef8a0150578ab639316e6f392ccac181c9fa18df5a04ccc56963644d02
RedLineStealer
287d3d93cb64c3bc424c714061bbbd34d5be274d378953aba4609f7cb0c50ca3
RedLineStealer
3751d569cdedc2379d349efd11f829abda1802c723ee6e638fab1e9396e19798
RedLineStealer
79cf69dfb121cfdd2652fc085ebbc4883d3c317e0af826655dfec2badc0d93e0
RedLineStealer
8dc94d486fd546ffbf8f21252aba65efe18432a6cae815e02b8be4ce4449291a
RedLineStealer
9165bc75e1a727c886b97c5dd3bdc42ed33d22f2895e8a830b94bd27fdeec2eb
RedLineStealer
a4e1a5b0197b59eb99538327584f8294e81259fd704c281469ec6b7ab7a2c046
RedLineStealer
beab989e0ac939662e7ba17a7f750f5955eae1c412b7fc113ae66ba4adbb08eb
RedLineStealer
fe92444d5cb5bbd5c1b55d90a4eb2aca6a7a6a25f06051160be86c80e35e92f9
RedLineStealer
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence pyinstaller
Link:
https://tria.ge/reports/210609-e3jyx5yxhe/
Behaviour
Modifies registry key
Modifies system certificate store
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Adds Run key to start application
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
c48e509f7139d0ee5a09d1807e73783e0948741c6f90f1dbc8096318e7d6dd3a
MD5 hash:
d350346b22f5c0831723fa5ae916890b
SHA1 hash:
2a091b127b7a0ea335f4423030fedf649027f139
Link:
https://www.unpac.me/results/dbed2d26-b43e-4a04-b774-5588b71955e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c48e509f7139d0ee5a09d1807e73783e0948741c6f90f1dbc8096318e7d6dd3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165643/

Comments