MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca42d679800107fd959d600bda0b026fd1ef506b27ca270fd0af163ff71b5c1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca42d679800107fd959d600bda0b026fd1ef506b27ca270fd0af163ff71b5c1e
SHA3-384 hash: fe2b3cc37fc2946be3f650d46e69ea4eb490fc11819a230f0fe5f5a2023d8a40e324c39de960302a7b712b4d9b3d1f54
SHA1 hash: 52d67d194758d1d28488e73725678b096a4d7615
MD5 hash: 15cd021ab83035e068b2e25f21e5b950
humanhash: helium-three-saturn-wisconsin
File name:15cd021ab83035e068b2e25f21e5b950.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:57'856 bytes
First seen:2021-09-25 12:40:28 UTC
Last seen:2021-09-25 14:08:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:bGu1FWQyU9RXVf8f9ipZ2jVcATNVVb8i144KUISk3MuVfhkT+MnVhIaJ:bGu1o9UPXOf0jqV991ZKC4q9t
Threatray 29 similar samples on MalwareBazaar
TLSH T1A743D77741A184B6C0992734E8750F0F3A7CD6241981F69CF04AB6AEDC1D69D9EF83B8
File icon (PE):PE icon
dhash icon 628ddd521a65ad2b (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15cd021ab83035e068b2e25f21e5b950.exe
Verdict:
Malicious activity
Analysis date:
2021-09-25 12:45:59 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/bf36a2fc-672d-474f-8a9e-ad4cb39f1375

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191529/
Detection(s):
SecuriteInfo.com.AgentTesla-FDCV15CD021AB830.5039.24883.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/02cc62eb-8cb2-4a6a-8192-d66680cb5b88
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858031
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490460 Sample: saBQ44cKq9.exe Startdate: 25/09/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected RedLine Stealer 2->58 60 PE file contains section with special chars 2->60 62 PE file has nameless sections 2->62 7 saBQ44cKq9.exe 15 6 2->7         started        12 WinHoster.exe 2 2->12         started        14 WinHoster.exe 2 2->14         started        process3 dnsIp4 38 whealclothing.xyz 7->38 40 iplogger.com 88.99.66.31, 443, 49739, 49740 HETZNER-ASDE Germany 7->40 42 my-all-group.bar 172.67.169.45, 443, 49732, 49733 CLOUDFLARENETUS United States 7->42 30 C:\ProgramData\6589973.exe, PE32 7->30 dropped 32 C:\ProgramData\5444760.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\...\saBQ44cKq9.exe.log, ASCII 7->34 dropped 70 May check the online IP address of the machine 7->70 72 Performs DNS queries to domains with low reputation 7->72 16 5444760.exe 1 4 7->16         started        20 6589973.exe 15 24 7->20         started        file5 signatures6 process7 dnsIp8 28 C:\Users\user\AppData\...\WinHoster.exe, PE32 16->28 dropped 44 Multi AV Scanner detection for dropped file 16->44 46 Detected unpacking (changes PE section rights) 16->46 48 Machine Learning detection for dropped file 16->48 23 WinHoster.exe 2 16->23         started        36 online-stock-solutions.com 172.67.144.208, 443, 49742 CLOUDFLARENETUS United States 20->36 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Tries to harvest and steal browser information (history, passwords, etc) 20->52 54 Tries to steal Crypto Currency Wallets 20->54 26 conhost.exe 20->26         started        file9 signatures10 process11 signatures12 64 Multi AV Scanner detection for dropped file 23->64 66 Detected unpacking (changes PE section rights) 23->66 68 Machine Learning detection for dropped file 23->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca42d679800107fd959d600bda0b026fd1ef506b27ca270fd0af163ff71b5c1e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-25 12:41:11 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00fe5f5fd5d99caa0c8b1ac7ab8ea8e7f8150c7956b402d00089e1c23eb9f1d3
RedLineStealer
03cc15c743e103a3597c54ca13d7425978a6305235dacd700a193f5628c312df
RedLineStealer
07e0cb59b6ecd2ca93fd59a315632d538f6167fef0cf3203d61714f5823bd548
RedLineStealer
42c67e25393301648626c1f3affbc2e98e56b1c88c79bd2befa0a140a32dbd41
RedLineStealer
5c94baed9902a0042577180ae82c0cce8edf18bc5ab177d2ea3652cde26b1b88
RedLineStealer
88d7f8a03335116550843fc11f768b259a7cfbf7b4d79a4d089db721fb131432
RedLineStealer
90ec027aaeb78b54645176eac81991a7b6cc4d24d0eaa0d765265b2693069eb3
RedLineStealer
c57eb4397e46915259bd78aa19d55c726cf78cc07f4abb2e580dc73b5f87fd0c
RedLineStealer
cb28fed6c60c5e3d6dfc93e5d48164348e75efacffd7d06b9a96c6996fdd9846
RedLineStealer
d4de2697a1f64f5cdcaf1293afcc05387baa1b87225426fca9fea7e817189c27
RedLineStealer
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/210925-pwsfbacfgr/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
24ce70004b1e29d8ba2e3fb4d89337b37b07f2b5c47f5f3be782ef1f46d0a798
MD5 hash:
3718effd6324a3881b242c48ddc33a13
SHA1 hash:
d8d0371d9c1dcec0f43b24a3d2ff388b0276e503
Link:
https://www.unpac.me/results/47c0ae12-368c-4657-b392-9be3b968729c/
SH256 hash:
ca42d679800107fd959d600bda0b026fd1ef506b27ca270fd0af163ff71b5c1e
MD5 hash:
15cd021ab83035e068b2e25f21e5b950
SHA1 hash:
52d67d194758d1d28488e73725678b096a4d7615
Link:
https://www.unpac.me/results/47c0ae12-368c-4657-b392-9be3b968729c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ca42d679800107fd959d600bda0b026fd1ef506b27ca270fd0af163ff71b5c1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ca42d679800107fd959d600bda0b026fd1ef506b27ca270fd0af163ff71b5c1e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1635372/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191529/

Comments