MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4de2697a1f64f5cdcaf1293afcc05387baa1b87225426fca9fea7e817189c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4de2697a1f64f5cdcaf1293afcc05387baa1b87225426fca9fea7e817189c27
SHA3-384 hash: 983b143aca418391ef84e27d0df1bdc8d2bcede7ee2fe6d1f0278241de4cc1d90fafaa12f3e766c9e5ec4ed828d9568e
SHA1 hash: c78c225e7d07a85b38878bb71302be8d0469322d
MD5 hash: 710ccb00c36aed53252f5f4018ecaf1a
humanhash: zulu-paris-triple-paris
File name:710ccb00c36aed53252f5f4018ecaf1a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:123'904 bytes
First seen:2021-09-23 21:17:41 UTC
Last seen:2021-09-23 22:20:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:KiihhbQC1F1bTU6wYpnVtTfWgPeT7huJWJhSs5DLtHnFaWr0cnykI3Kgfdg9fOFq:Mln9QwnDTfW8eT0GBDjJc3oPXJXbZ5
Threatray 13 similar samples on MalwareBazaar
TLSH T11EC3D767C125146EC57826B0E0710F0B3F68CE601DA0B5CDA14EB99ADF3A54E8BFD267
File icon (PE):PE icon
dhash icon 0070ccd4d4cc6000 (3 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
710ccb00c36aed53252f5f4018ecaf1a.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 21:18:27 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/a1dec956-cab3-4944-bd1b-a0337848c7ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190894/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.114751.9247.4517.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea56fbff-b966-418a-b1ac-8f1197447bb0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/856930
Signature
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489357 Sample: osSxnccEWL.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 96 56 Multi AV Scanner detection for submitted file 2->56 58 Found many strings related to Crypto-Wallets (likely being stolen) 2->58 60 PE file contains section with special chars 2->60 62 PE file has nameless sections 2->62 7 osSxnccEWL.exe 15 6 2->7         started        12 WinHoster.exe 2 2->12         started        14 WinHoster.exe 2 2->14         started        process3 dnsIp4 40 whealclothing.xyz 7->40 42 iplogger.com 88.99.66.31, 443, 49761, 49762 HETZNER-ASDE Germany 7->42 44 my-all-group.bar 104.21.95.21, 443, 49754, 49755 CLOUDFLARENETUS United States 7->44 30 C:\ProgramData\4994762.exe, PE32 7->30 dropped 32 C:\ProgramData\1209466.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\...\osSxnccEWL.exe.log, ASCII 7->34 dropped 70 Detected unpacking (changes PE section rights) 7->70 72 May check the online IP address of the machine 7->72 74 Performs DNS queries to domains with low reputation 7->74 16 4994762.exe 1 4 7->16         started        20 1209466.exe 15 24 7->20         started        file5 signatures6 process7 dnsIp8 28 C:\Users\user\AppData\...\WinHoster.exe, PE32 16->28 dropped 46 Multi AV Scanner detection for dropped file 16->46 48 Detected unpacking (changes PE section rights) 16->48 50 Machine Learning detection for dropped file 16->50 23 WinHoster.exe 2 16->23         started        36 abccenter.top 172.67.162.93, 443, 49763 CLOUDFLARENETUS United States 20->36 38 192.168.2.1 unknown unknown 20->38 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->52 54 Tries to harvest and steal browser information (history, passwords, etc) 20->54 26 conhost.exe 20->26         started        file9 signatures10 process11 signatures12 64 Multi AV Scanner detection for dropped file 23->64 66 Detected unpacking (changes PE section rights) 23->66 68 Machine Learning detection for dropped file 23->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4de2697a1f64f5cdcaf1293afcc05387baa1b87225426fca9fea7e817189c27/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 15:25:55 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03cc15c743e103a3597c54ca13d7425978a6305235dacd700a193f5628c312df
RedLineStealer
1c4240600fc7bdc37ee84a11cee2908e8138bb01abe3d9d2af95741c0ddf593b
RedLineStealer
1e39513b16501c1ff55a8a9d4c7b4b27ad067f3063002541b74b43e547ca8bf8
RedLineStealer
3d9c989fec01c48d91044ab58bf7af9a8d425609ec4dd8633216c106f8c880c7
RedLineStealer
49393b6bd72219d0a17a665b4dee7d8acf718bec1125f28d83eca8ec1e7965f6
RedLineStealer
8346802296fc33b77a434c410fee9e054ce3f670a74907d603a521128465b90b
RedLineStealer
ba1d46710da9a8b2667b2f9571f6db70ffa8608ebe2a81ea1346cf7072856335
RedLineStealer
cb28fed6c60c5e3d6dfc93e5d48164348e75efacffd7d06b9a96c6996fdd9846
RedLineStealer
cb93bed808405cefb72de5c65d0f4906a9b771b0a31dc45b9428258bd7097828
RedLineStealer
fb4bab16f67ebc7ce75c5b34b34d05508963bc31a76f692ba63ddc9869c69595
RedLineStealer
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/210923-z5ln8sfbhk/
Behaviour
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
87e0d5d3fca704e2eff66d81a4798b67948d138064f2e78a12f369b6001efac5
MD5 hash:
fa699b718fbefefbbe66bc0f6a964ed3
SHA1 hash:
bddf9266dc47925c852c81215ae0427afb37a6f1
Link:
https://www.unpac.me/results/d34a89b1-087e-4d2a-addc-e3d2848c7352/
SH256 hash:
d4de2697a1f64f5cdcaf1293afcc05387baa1b87225426fca9fea7e817189c27
MD5 hash:
710ccb00c36aed53252f5f4018ecaf1a
SHA1 hash:
c78c225e7d07a85b38878bb71302be8d0469322d
Link:
https://www.unpac.me/results/d34a89b1-087e-4d2a-addc-e3d2848c7352/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d4de2697a1f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/d4de2697a1f64f5cdcaf1293afcc05387baa1b87225426fca9fea7e817189c27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d4de2697a1f64f5cdcaf1293afcc05387baa1b87225426fca9fea7e817189c27

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1635372/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190894/

Comments