MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5e7d54bd327aca2e346351c6ad203d805f6f36a512385e0328d7a81ec0456e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	c5e7d54bd327aca2e346351c6ad203d805f6f36a512385e0328d7a81ec0456e7
SHA3-384 hash:	8e56a3e1c198cc0e927605e3204584fd516bb1127db64d30d2b8ced840c502140333ed1c1b9e54eac84d7005eb314796
SHA1 hash:	62638667269eca7c138a797904304489481c45d2
MD5 hash:	e8dc2427c71cfa5279bb8e2964b60f6e
humanhash:	fish-violet-louisiana-butter
File name:	e8dc2427c71cfa5279bb8e2964b60f6e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'250'831 bytes
First seen:	2021-02-18 15:42:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	49152:nJ8aUIu/xyDHXvRHkmNbae690cKY4BxLoe+PdXdIeimouI+MLMIigCR31zlPdsEd:JIxu3vRkYbAKQIeS3igCR3WE1re1w
TLSH	71E52373567E1169E0E1CC35AD37BEE471FA537F8B81A47888CADDC122115E9E223A43
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/117821/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.wc.2619.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/611842

Signature

Binary contains a suspicious time stamp

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5e7d54bd327aca2e346351c6ad203d805f6f36a512385e0328d7a81ec0456e7/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yxt5ks6te6wkfy2gguogvuqd3ac7n43kkerylybsrv5id3aek3tq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

themida

Link:

https://tria.ge/reports/210218-d9bgf9wsc2/

Unpacked files

SH256 hash:

c5e7d54bd327aca2e346351c6ad203d805f6f36a512385e0328d7a81ec0456e7

MD5 hash:

e8dc2427c71cfa5279bb8e2964b60f6e

SHA1 hash:

62638667269eca7c138a797904304489481c45d2

Link:

https://www.unpac.me/results/ecad700b-58d8-42d4-accc-9a15f4bb2784/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/c5e7d54bd327aca2e346351c6ad203d805f6f36a512385e0328d7a81ec0456e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time