MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c91154128e07f0e2254202c4145f0c3b489c537a1795b71e463018f838c348cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c91154128e07f0e2254202c4145f0c3b489c537a1795b71e463018f838c348cb
SHA3-384 hash: fe47d8cf0629eebe3d00e04e87d1fc9870589eeadb2989b09dbeb34562fb3dfba142d32da57f926ad5c3276ab5a067fc
SHA1 hash: 3c1b6b2b68ae1e2525be4dffdceb53dd44632456
MD5 hash: 6c53267cc0b1e094a5821c0db4b30c63
humanhash: angel-texas-summer-video
File name:ItroublveTSC.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:603'648 bytes
First seen:2021-10-21 22:58:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 72 x LummaStealer, 62 x Rhadamanthys)
ssdeep 12288:IiDy90g4Pgpko7VNYtywGFXm+uM/izHlhFY0vRrNSwO9uWZ:IsywAko7VKombjlh1w0WZ
Threatray 32 similar samples on MalwareBazaar
TLSH T1BBD4F11663E56566F4F6677498F602934D33BCA29B7582AF1284D53E0E33BC4D832B23
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199204/
Detection(s):
Win.Malware.Refroso-9872010-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6171f0b89a5a1e91c5ccdad5/reports/aaa92616-8948-4f10-a63d-16188203dc13/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8effb85-6abb-4ccc-9b7a-9c06d66adcd7
Result
Threat name:
MercurialGrabber
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874914
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MercurialGrabber
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c91154128e07f0e2254202c4145f0c3b489c537a1795b71e463018f838c348cb/
Threat name:
ByteCode-MSIL.Trojan.Crifi
Create hunting rule
Status:
Malicious
First seen:
2021-10-17 09:56:50 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb
RedLineStealer
243b5b84bb63e98fb3d54e4e1d8592c367540a79f677a464f2c2ea5491f4c90f
RedLineStealer
3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8
RedLineStealer
5139ad11a48646552189e064b132a68728a2b53bb93cc2c96f737fd9271852fa
RedLineStealer
6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059
RedLineStealer
75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b
RedLineStealer
fbe720229b96efaa4082c195a6d98d43005e1f69ed031f3f9b1f8dcb2113f4d8
RedLineStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211021-2ydq6aahd3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
c91154128e07f0e2254202c4145f0c3b489c537a1795b71e463018f838c348cb
MD5 hash:
6c53267cc0b1e094a5821c0db4b30c63
SHA1 hash:
3c1b6b2b68ae1e2525be4dffdceb53dd44632456
Link:
https://www.unpac.me/results/eec7808a-a0cf-40a6-ad5e-799e4865541f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c91154128e07f0e2254202c4145f0c3b489c537a1795b71e463018f838c348cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c91154128e07f0e2254202c4145f0c3b489c537a1795b71e463018f838c348cb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199204/

Comments