MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5617b10a4b7bc7f4f5b457ad59744510d9dee0ee0dd84f1f7882e29e70c1139. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5617b10a4b7bc7f4f5b457ad59744510d9dee0ee0dd84f1f7882e29e70c1139
SHA3-384 hash: fd63e966438cb95547672a34a70dba805f7e240eac43b9f94825db931d215c0787dbf85aae5e051e36c201000fb109c8
SHA1 hash: 4c970a70780b95ece110ba8882bfb75961439963
MD5 hash: 0848c11cbd563b8c28df0cc52487ff8e
humanhash: carbon-london-east-robin
File name:Invoice-9273923.xll
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:656'384 bytes
First seen:2022-11-28 07:35:59 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:in/zDvGHAykHSzLW/4+8bzbBSreMdShgFK/UqWPZ1tbnK:gzbGHAzHAjX1BcLPZ1V
Threatray 136 similar samples on MalwareBazaar
TLSH T1D1D4AE57F7C7FAB0E6BE827A82B1891C527774520260A78F674076896D23392493DF0F
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:RedLineStealer xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice-9273923.xll
Verdict:
No threats detected
Analysis date:
2022-11-28 07:52:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cde7bcc8-fd65-4f7d-a6c4-e887969f278c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/c5617b10a4b7bc7f4f5b457ad59744510d9dee0ee0dd84f1f7882e29e70c1139/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/638464ee5be128ac718f3ab8/reports/2305dbaa-133d-473d-9deb-580d42ac6b9c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122308
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office process drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755022 Sample: Invoice-9273923.xll Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 27 s3-w.us-east-1.amazonaws.com 2->27 29 s3-1-w.amazonaws.com 2->29 31 3 other IPs or domains 2->31 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 6 other signatures 2->55 9 cmd.exe 4 2 2->9         started        signatures3 process4 process5 11 EXCEL.EXE 210 54 9->11         started        16 conhost.exe 9->16         started        dnsIp6 35 s-0005.s-dc-msedge.net 52.113.195.132, 443, 49787 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->35 37 bitbucket.org 104.192.141.1, 443, 49788 AMAZON-02US United States 11->37 39 s3-w.us-east-1.amazonaws.com 52.216.145.203, 443, 49789 AMAZON-02US United States 11->39 25 C:\Users\user\AppData\...\newllootexpreol.exe, PE32 11->25 dropped 65 Document exploit detected (creates forbidden files) 11->65 18 newllootexpreol.exe 1 11->18         started        file7 signatures8 process9 signatures10 41 Machine Learning detection for dropped file 18->41 43 Writes to foreign memory regions 18->43 45 Allocates memory in foreign processes 18->45 47 Injects a PE file into a foreign processes 18->47 21 vbc.exe 15 5 18->21         started        process11 dnsIp12 33 82.165.20.74, 49792, 80 ONEANDONE-ASBrauerstrasse48DE Germany 21->33 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->59 61 Tries to harvest and steal browser information (history, passwords, etc) 21->61 63 Tries to steal Crypto Currency Wallets 21->63 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5617b10a4b7bc7f4f5b457ad59744510d9dee0ee0dd84f1f7882e29e70c1139/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 07:37:08 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvqxwefew66h6t23iv5nlf2ekegz33qo4doyj4pxraxctzymce4q._file
Verdict:
unknown
Similar samples:
044233e16f3e3ff7dcdeab11bfa49a9e99c943f2f97ee293705e45b9558c2bbb
RedLineStealer
86a8ee23cb943b383835eb2ba8bc513641ee6953ba1715832a8a485931054273
RedLineStealer
983ffa1a7513ab6d015e1c4785bda2a2f20a47bf6091773db9341ebcdaf84e93
RedLineStealer
aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088
RedLineStealer
b3f6afb079d5d25bea3a043d033091d5a0a8fde399c900a6337bc5e1dd65d279
RedLineStealer
c7ecbd646727c85760706a61c2283909c13cb5cd80f51f3ce5af83ed438d293d
RedLineStealer
cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861
RedLineStealer
d340898f14aaa9f884b022b4be1b849eae4be5e275432348dc6bcb1fa09e28cb
RedLineStealer
dba5353ab99e0d16f30cf5ee5f1f160493b9a9b6364c71197e573f81e4145e75
RedLineStealer
f8c64372ab0eb57fdfe9f1dc610287522c826640179080203e064d1a046bd868
RedLineStealer
+ 126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221128-jfayfabe8w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5617b10a4b7bc7f4f5b457ad59744510d9dee0ee0dd84f1f7882e29e70c1139

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Find_Any_Xll_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Find Any XLL File
Rule name:Hunt_Excel_DNA_Built_XLL_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Hunt for Excel Addin dll files generated with Excel-DNA builder https://excel-dna.net/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments