MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA3-384 hash: 0197c9e205f8a4a192f4648c6681a91b56df45bd76247f01471c316985ba0cdd15cd19ac7303c6f233f266aff2a44160
SHA1 hash: 12280091094281fa60fa8321006abfc7c4bd4e33
MD5 hash: 6439889cfd410e3b57422781c93e26cf
humanhash: aspen-delaware-black-kilo
File name:6439889cfd410e3b57422781c93e26cf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:465'920 bytes
First seen:2021-08-05 15:12:02 UTC
Last seen:2021-08-05 16:25:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:pD7irNMyXB/qiYdhJvG+vDSIn+PFmAvZmcpWb8aoL8UO1vhhAAh:pD7+MyXhYdhJvGMDhnwFmmZmcYb8aLB
Threatray 156 similar samples on MalwareBazaar
TLSH T1C9A46BAF3650619FF47AC47D6E641D16F524EEE3B2CEC583E4831048CA3D9879A841BE
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fb10b8ea68c1e0064730018fca3cb39.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 10:35:34 UTC
Tags:
trojan stealer vidar rat azorult raccoon loader
Link:
https://app.any.run/tasks/9663e505-8851-4b1a-8c1f-94cb9b6703d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176701/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.IN.10.12859.29368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Blocking the Windows Defender launch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48fa8d14-6a27-4868-a73b-a0a5c070e775
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/827441
Signature
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Disables Windows Defender (via service or powershell)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459872 Sample: YIkmNSywNg.exe Startdate: 05/08/2021 Architecture: WINDOWS Score: 72 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AntiVM3 2->42 44 Machine Learning detection for sample 2->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->46 8 YIkmNSywNg.exe 3 2->8         started        process3 file4 38 C:\Users\user\AppData\...\YIkmNSywNg.exe.log, ASCII 8->38 dropped 48 Disables Windows Defender (via service or powershell) 8->48 12 YIkmNSywNg.exe 1 1 8->12         started        signatures5 process6 signatures7 50 Disables Windows Defender (via service or powershell) 12->50 15 powershell.exe 8 12->15         started        18 powershell.exe 22 12->18         started        20 powershell.exe 18 12->20         started        22 11 other processes 12->22 process8 signatures9 52 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->52 24 conhost.exe 15->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 8 other processes 22->36 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 10:09:23 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
02ec84d0b711866766513ad2b97752fe246e00e665e4518afe36260e5fa7b844
RedLineStealer
0e42efb1ea61d5d30ed176723fe7d724138abcf6c0291ced028ffa940171a312
RedLineStealer
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
RedLineStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RedLineStealer
70c6f1b40c8d5d8b46a3601c4c260e14b53e4e59a5d46c0650216cf424f2d7de
RedLineStealer
7d02ae5ae3ed3b7a13ff5495174216ea3195764d7154b8e9b4997c74fd08fb09
RedLineStealer
b30f264fda73db6970c313776095289e5fc0ee77f6be19010e2f9e125205e845
RedLineStealer
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
RedLineStealer
c569b5dd76b6c49a985b6f8dc69d4f7f7f5cc4dc301ea7bc0c80a3a63b7bdaf2
RedLineStealer
f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21
RedLineStealer
+ 146 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210805-8rc6ee2pga/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/5ed3258f-cd4c-4ad5-8cbd-952fa90a6876/
SH256 hash:
8557e71ea1f0d0696e0e316907202dbf0560c19874e2603382c187aa45ef277a
MD5 hash:
11bba2ec64963ed56b7d38fbd54045f4
SHA1 hash:
ab6e5df1225a6d6d230de6120262251cfb93af53
Link:
https://www.unpac.me/results/5ed3258f-cd4c-4ad5-8cbd-952fa90a6876/
SH256 hash:
910e8e8810712a9c8c4ba27772e8abefe2be18c17fe3a61eb166357652b3ed97
MD5 hash:
d541d87883f9b2f80ddb42fb4084ff04
SHA1 hash:
a3801ec009f7c62702f485d8df9943ec15145396
Link:
https://www.unpac.me/results/5ed3258f-cd4c-4ad5-8cbd-952fa90a6876/
SH256 hash:
c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
MD5 hash:
6439889cfd410e3b57422781c93e26cf
SHA1 hash:
12280091094281fa60fa8321006abfc7c4bd4e33
Link:
https://www.unpac.me/results/5ed3258f-cd4c-4ad5-8cbd-952fa90a6876/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HKTL_NET_GUID_Disable_Windows_Defender
Create hunting rule
Author:Arnim Rupp
Description:Detects c# red/black-team tools via typelibguid
Reference:https://github.com/NYAN-x-CAT/Disable-Windows-Defender
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1475913/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/948785/
Cape
Cape
https://www.capesandbox.com/analysis/176701/

Comments