MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9d7ca6e47124b6b22a43986d6f21ec70c0173a2d72553595f87c6450d103e2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9d7ca6e47124b6b22a43986d6f21ec70c0173a2d72553595f87c6450d103e2a
SHA3-384 hash: 41ffc99e21c7b0656f176377cbcc61009f025003985c3bb857c4296cc8a5350f2e03d98c4ef04a53f1e13e06184a2ed7
SHA1 hash: c003de1b42342e3414b3451c43f368b9ba9fc193
MD5 hash: 12ac631ddce30527b221ce2647026c55
humanhash: south-shade-ceiling-gee
File name:Win 10 Tweaker.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'558'528 bytes
First seen:2021-07-10 16:41:51 UTC
Last seen:2021-07-10 17:45:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:9qaMN1UCKk52GY537G2HzKTwx7Rx+38CnezaZ8M/818R/NNdNFdea7jJCBuGtbCP:yN/3E37G2mUiskezaZ8OV/NFP4BuG4
Threatray 99 similar samples on MalwareBazaar
TLSH T121753375652173BDC56B97F3C49E2C0BA7E110BBC19640A2D36378EA690B383BD76834
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Win 10 Tweaker.exe
Verdict:
No threats detected
Analysis date:
2021-07-10 16:44:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f3712ec-b1e8-42ec-b002-6fbab6200f9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170814/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46541233.30916.11234.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f023d853-7175-4833-9e85-8162122bbabb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/814338
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive USB information (via WMI, WIN32_USBHUB, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446749 Sample: Win 10 Tweaker.exe Startdate: 10/07/2021 Architecture: WINDOWS Score: 80 36 Multi AV Scanner detection for submitted file 2->36 38 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->38 40 Machine Learning detection for sample 2->40 42 4 other signatures 2->42 7 Win 10 Tweaker.exe 4 21 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        12 cmd.exe 1 7->12         started        14 cmd.exe 7->14         started        16 2 other processes 7->16 signatures5 44 Uses schtasks.exe or at.exe to add and modify task schedules 9->44 46 Uses netsh to modify the Windows network and firewall settings 9->46 18 compact.exe 1 9->18         started        20 conhost.exe 9->20         started        22 chcp.com 1 9->22         started        24 conhost.exe 12->24         started        26 chcp.com 12->26         started        28 schtasks.exe 12->28         started        32 3 other processes 14->32 30 conhost.exe 16->30         started        34 2 other processes 16->34 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9d7ca6e47124b6b22a43986d6f21ec70c0173a2d72553595f87c6450d103e2a/
Threat name:
Win32.PUA.WinTweaker
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 09:59:01 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
137c8e3e5c12b84d31907c3b8adccae1f3c19177ad410f36e423b5efa425af19
RedLineStealer
26b7bd2300a9c08d3ef195f92847c8981c0ffcb4a2055002592c8f24c96506ea
RedLineStealer
2b1bb1e82fb1a95195f15eba606066f43d2149c4ed323f962a3e0f4cdbc64aa6
RedLineStealer
4737ea5151d02ccd6fdf58f879792c4e0b8a682005bdea63f28c373156d407cc
RedLineStealer
649196028a2da14a49c0e7ac613ddb03e5cc6ab289081ee32d08b192d562859a
RedLineStealer
97adb29b80a535523c20571b48ae7b7b8f5ec2bc8ddf6fe22dcf08b7197badf3
RedLineStealer
cd84c2fe9c5f3783d3a6ebdea43e14774975f092ef5242a857b9a4a28e14878a
RedLineStealer
d959ab3ffc54e02792ddc39c6109e1e72a3e48937c225c06f7692bb4f3ffd888
RedLineStealer
f5aae19b73a4833e19ccff1b95dafa7b0c31a1def9bbaa5480593af68b2f4c85
RedLineStealer
f6aa394f7b0a0f629da6831a1134e4a6cbf21c70dce7f4133319d638d4b58023
RedLineStealer
+ 89 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210710-lq8xqy7a2j/
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
25779ecc3e3a3b923466c290a5f034127679adf90185fac833d76dbdc9ec03f1
MD5 hash:
ac2a0cfaecc6ea5c538246bdbd22fb75
SHA1 hash:
7bdca6682cca57e8df17ab05cd173e7127127833
Link:
https://www.unpac.me/results/8fbea05d-6313-4c88-b996-851d7734f7f3/
SH256 hash:
081e48f7d2a761d906e335799a1de81d81c9b9e1e9b996ffee95aa7170defa45
MD5 hash:
c6ec74bc98d20a75f143fce6918145bf
SHA1 hash:
660711a9114116f9c7fb06f5fd528935007834e4
Link:
https://www.unpac.me/results/8fbea05d-6313-4c88-b996-851d7734f7f3/
SH256 hash:
c9d7ca6e47124b6b22a43986d6f21ec70c0173a2d72553595f87c6450d103e2a
MD5 hash:
12ac631ddce30527b221ce2647026c55
SHA1 hash:
c003de1b42342e3414b3451c43f368b9ba9fc193
Link:
https://www.unpac.me/results/8fbea05d-6313-4c88-b996-851d7734f7f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c9d7ca6e47124b6b22a43986d6f21ec70c0173a2d72553595f87c6450d103e2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170814/

Comments