MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc00771cfb207ebbafb318d46ebd9dd082d76b739a725a792eba917ddc14aa03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc00771cfb207ebbafb318d46ebd9dd082d76b739a725a792eba917ddc14aa03
SHA3-384 hash: d4aecd3d971a218f66a9521e875226ba6663ef3cff93c8591bcef392a23c2043fac8822cf95fc814abd0df6f73701811
SHA1 hash: 46119277b36d7d0855a6b7b255ce749538053733
MD5 hash: 7d20b144fbf477138bcad9c1db44f6c1
humanhash: river-foxtrot-massachusetts-bluebird
File name:7d20b144fbf477138bcad9c1db44f6c1
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:920'064 bytes
First seen:2021-07-10 19:43:48 UTC
Last seen:2021-07-10 20:33:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 24576:BD6y7jDYfh2RfJJfe/FWYTMlqOEIVx6OOIM:BD6cD+AhJfyFBMDWZI
Threatray 168 similar samples on MalwareBazaar
TLSH T1DE15D0D3B8588B41CB99293180F7082903F2EDA7E9B5A34B1E1CB6840D717F68D5BB57
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7d20b144fbf477138bcad9c1db44f6c1
Verdict:
Malicious activity
Analysis date:
2021-07-10 19:44:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69233083-c38b-4572-9b18-7ec2475e3c85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170818/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.13974.12469.28758.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98cfbbdb-27b7-4664-a842-0fd7f3ca0572
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/814343
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc00771cfb207ebbafb318d46ebd9dd082d76b739a725a792eba917ddc14aa03/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 11:48:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1f6c43e2bd2c2d8a9c8b603488301fdf6b1c074a88e9b48e4b6a9daeab0b1718
RedLineStealer
2886de9d76ef4a0531d223adddb017ca6f0ac5f1d69c16c7595b0ac9051d5438
RedLineStealer
51cdfacae2fda706f6c105556b74a9da1c7e89edbe5fc9124eec0183ea640e50
RedLineStealer
61c2b1b4f006ab6f3866a5e3aa4291ffea4e00cb66fd8c66b2cb2b48c881e863
RedLineStealer
6e3e15aaf05f995fde696fd7e54c21c3af5331623a3dd7f8279060f72b18518f
RedLineStealer
725e05473380845b888484c94414f03424794c8450abe0aa3a903997d6607815
RedLineStealer
8776ab0754e874c4850f80bd4b455ee1f55c3be6e44d307edfd3b1efa58d257b
RedLineStealer
8ba194b948d7b406491f6c90d2680eda0762b8ff83f0730f0b8ee16d4e2e5c92
RedLineStealer
b1212eb9c8a1c6a869ab3fa9ab73351123a58814dbeb6a3929266892a938e214
RedLineStealer
e09931997c18281c3a4cb81710b11a2924ed9617e60106fccdc2d6564b81e40e
RedLineStealer
+ 158 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210710-8eeve77ysn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
2d404fe3c170f5c4bc606143a608af74b0a665f837aa1c5812cb993b60d681a3
MD5 hash:
fdf296721553885866ed84906b2ce836
SHA1 hash:
91f2773109398c9d9ca5358b901e5bfbcc540c4a
Link:
https://www.unpac.me/results/d6095383-081a-474a-9aa7-54df232d69be/
SH256 hash:
2d1bc140982ee612adbe7ee4c3b13bd7ac073d165e86cff2889dfbddd80ce544
MD5 hash:
475d12369e1cfb265640bdb330d82ac5
SHA1 hash:
7b212a47bd72f04ee12c789abc8bb32e72f3fc4e
Link:
https://www.unpac.me/results/d6095383-081a-474a-9aa7-54df232d69be/
SH256 hash:
6a47b4bee5112448e75c821068f1507826d59e5c927239e0cf271a0faf8ab725
MD5 hash:
865699fbfdfb66e1f913daa8bffdffef
SHA1 hash:
3ede95f534b75b7631309c081bbfd4eb59538893
Link:
https://www.unpac.me/results/d6095383-081a-474a-9aa7-54df232d69be/
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/d6095383-081a-474a-9aa7-54df232d69be/
SH256 hash:
cc00771cfb207ebbafb318d46ebd9dd082d76b739a725a792eba917ddc14aa03
MD5 hash:
7d20b144fbf477138bcad9c1db44f6c1
SHA1 hash:
46119277b36d7d0855a6b7b255ce749538053733
Link:
https://www.unpac.me/results/d6095383-081a-474a-9aa7-54df232d69be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc00771cfb207ebbafb318d46ebd9dd082d76b739a725a792eba917ddc14aa03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cc00771cfb207ebbafb318d46ebd9dd082d76b739a725a792eba917ddc14aa03

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1442021/
Cape
Cape
https://www.capesandbox.com/analysis/170818/

Comments


Avatar
zbet commented on 2021-07-10 19:43:50 UTC

url : hxxp://i55fundraising.com/instalKP.exe