MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7a5001c2ba52418531e60d06072f4130bb9eabbba600f39a90521479ed3f1f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7a5001c2ba52418531e60d06072f4130bb9eabbba600f39a90521479ed3f1f8
SHA3-384 hash: b8c580fa2b03d9b3d0a195a01455be64f9d1b6668d0f6b39f20845db388868fc1e0dfa0ecc2fe9a56411987607ecc858
SHA1 hash: 8786fed9bfb948767cd3170b1a7fa00db6d79fe9
MD5 hash: c61e8f7c7ea0a25c2dcb8a73d7aec241
humanhash: social-arizona-avocado-missouri
File name:install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:167'936 bytes
First seen:2022-10-09 06:24:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 74 x LummaStealer, 62 x Rhadamanthys)
ssdeep 3072:bahKyd2n3165GWp1icKAArDZz4N9GhbkrNEkO5CO:bahOqp0yN90QEP
Threatray 2'819 similar samples on MalwareBazaar
TLSH T1EFF36C4663F42166F5F6677598F202934A32BCA19B75C2EF1284D57E0E33AC0E931B27
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JAMESWT_WT
Tags:afterburner-msi exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://fermia.online/MSIAfterburner.msi
Verdict:
Malicious activity
Analysis date:
2022-10-09 06:23:14 UTC
Tags:
loader trojan stealer
Link:
https://app.any.run/tasks/c3e5fbc5-80ea-4494-aab1-6e8e84e4ec65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317988/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop14.3005.22788.5561.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42074/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
advpack.dll rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6342693f65517e87f667e7e7/reports/24ce5ff7-176a-4592-a8f5-950e2b7cc57d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/efb84057-d0e2-417a-8ce3-db7296e5e327
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1086434
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 718991 Sample: install.exe Startdate: 09/10/2022 Architecture: WINDOWS Score: 48 18 Multi AV Scanner detection for submitted file 2->18 8 install.exe 1 3 2->8         started        process3 process4 10 cmd.exe 2 8->10         started        process5 12 cmd.exe 1 10->12         started        14 conhost.exe 10->14         started        process6 16 conhost.exe 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7a5001c2ba52418531e60d06072f4130bb9eabbba600f39a90521479ed3f1f8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6sqahbluusbquy6mdiga4xucmf3t2v3xjqa6onjauquphwt6h4a._file
Verdict:
unknown
Similar samples:
257b99a8149825c3714e40ef1f4e0d1ccb35e0cc692deeb4e9fab1f38d9dddc9
RedLineStealer
436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497
RedLineStealer
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
RedLineStealer
5ef79469533653cf78a5dbff0a9d408d13541b2245874598f0177cc139e5e841
RedLineStealer
7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476
RedLineStealer
8d28f3c7f370b5d1bf1868e5de0e16d380ca93d583ca74c45fae83ba24f9c8aa
RedLineStealer
9ceef6a61f77d5e5c9d65e5eff7c2ede91cd236839c09830322faf841167a5e3
RedLineStealer
a1a3d07b7d2a764011affbede324e5f01590697e110a1c934d21c3627d3d1484
RedLineStealer
+ 2'809 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/221009-g6lfragedr/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f47ef7de-902d-45d6-b6b8-85b0904e319f
Unpacked files
SH256 hash:
c7a5001c2ba52418531e60d06072f4130bb9eabbba600f39a90521479ed3f1f8
MD5 hash:
c61e8f7c7ea0a25c2dcb8a73d7aec241
SHA1 hash:
8786fed9bfb948767cd3170b1a7fa00db6d79fe9
Link:
https://www.unpac.me/results/ba62f268-fd72-4081-aedb-e2ae369bcb43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7a5001c2ba52418531e60d06072f4130bb9eabbba600f39a90521479ed3f1f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317988/

Comments