MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb14f90c837063f7a2dee749306b1259579757ba73d7eb256defe08c254e3f8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb14f90c837063f7a2dee749306b1259579757ba73d7eb256defe08c254e3f8a
SHA3-384 hash: 0cd94e4553ba73c85b44fb9a5d12b1228d2e179706f2d53d5f68a5548836241eabbcf20757c437280fb8e08fc2da2ced
SHA1 hash: 83f1d643adb762dbd8c938dd1c8585336f447a35
MD5 hash: ef50755f551efe8aececc4bc6a99e9e9
humanhash: fourteen-seven-five-december
File name:ef50755f551efe8aececc4bc6a99e9e9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:39'424 bytes
First seen:2021-09-29 11:34:25 UTC
Last seen:2021-09-29 13:11:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:Sx6QS0McU2koGE4DfZQPqWZepQMj4eMFNHiP7zBMtr:Sx6QFMd3c4DB0+fyFRwzBMl
Threatray 25 similar samples on MalwareBazaar
TLSH T118034B0033888777D2BE533B4AA7504113F5EA227672EB1EAF84728948E77650F52F76
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ef50755f551efe8aececc4bc6a99e9e9.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-29 11:48:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d570ebe7-c1e9-4753-86e3-e1e4acd7b32f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BotSh1zoid
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193119/
Detection(s):
SecuriteInfo.com.Trojan.Inject.580.21544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8dd581e2-25fe-430a-8925-fef9d113b60e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/861443
Signature
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Disables Windows Defender (via service or powershell)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 493873 Sample: mIWi8XkIDA.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 84 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Machine Learning detection for sample 2->57 8 mIWi8XkIDA.exe 15 2 2->8         started        process3 dnsIp4 45 cdn.discordapp.com 162.159.134.233, 443, 49746 CLOUDFLARENETUS United States 8->45 59 Hides threads from debuggers 8->59 61 Disables Windows Defender (via service or powershell) 8->61 63 Injects a PE file into a foreign processes 8->63 65 Contains functionality to hide a thread from the debugger 8->65 12 mIWi8XkIDA.exe 3 5 8->12         started        16 WerFault.exe 23 9 8->16         started        19 mIWi8XkIDA.exe 8->19         started        signatures5 process6 dnsIp7 47 45.137.66.81, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 12->47 67 Disables Windows Defender (via service or powershell) 12->67 21 powershell.exe 24 12->21         started        23 powershell.exe 17 12->23         started        25 powershell.exe 12->25         started        27 12 other processes 12->27 49 192.168.2.1 unknown unknown 16->49 43 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->43 dropped file8 signatures9 process10 process11 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        41 8 other processes 27->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb14f90c837063f7a2dee749306b1259579757ba73d7eb256defe08c254e3f8a/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-29 11:35:05 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
002b81b464fe41cfe17a2a59fdcea647ea5af9e8bfcbfc78ae4fc4c076765629
RedLineStealer
0cb94dd180548e55a02a5a8c75e601816746105eb6c8e62cb53b7fa2cddfa9c6
RedLineStealer
464b01b713a4c97b736dae0ea19855e97a172e7c11e9f7fe9ac0e054326c340c
RedLineStealer
4745b5f9bfe8d186e060f51f555a6544e35a3c99314143ac87c6ff475f1f6b25
RedLineStealer
481bf324192405f2b1c59092c3c207f12d16ac0ab47e7eef304fcf401a2ed2cf
RedLineStealer
6ca93eb4511997137870cc14dc0b80859d47a1ed6e98a74e47558a931179d0b6
RedLineStealer
95e512f980e10547b613b0ee9fde0e49716e338cdf16e9b50956e0b3a807ad20
RedLineStealer
bbe2a604c11442ee74adb7fa17910ca8e5665ab463e4a45b478707faa3a284e4
RedLineStealer
bc2cea17da33c23edbb0c86ab00b3ec3b4a2f4da84fb075922e41b7bf6b654f0
RedLineStealer
c62e5304821abc306872ea97c88a8d7dc800f7b63380b2cf89153c639de4704c
RedLineStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210929-np1yfaeheq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
cb14f90c837063f7a2dee749306b1259579757ba73d7eb256defe08c254e3f8a
MD5 hash:
ef50755f551efe8aececc4bc6a99e9e9
SHA1 hash:
83f1d643adb762dbd8c938dd1c8585336f447a35
Link:
https://www.unpac.me/results/fb2b2a38-3fed-419c-b61b-d5a8c250e037/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/cb14f90c837063f7a2dee749306b1259579757ba73d7eb256defe08c254e3f8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BotSh1zoid
Create hunting rule
Author:ditekSHen
Description:Detects BotSh1zoid
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cb14f90c837063f7a2dee749306b1259579757ba73d7eb256defe08c254e3f8a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/193119/
  
URLhaus
https://urlhaus.abuse.ch/url/1644572/
  
Delivery method
Distributed via web download

Comments