MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcabbdbcb25b9663b40e527927ad003ab43726989d5772a9999e4350ca974a6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcabbdbcb25b9663b40e527927ad003ab43726989d5772a9999e4350ca974a6a
SHA3-384 hash: 671c6c7ba9d4ae2462dcdba1a45d82015cf2cd9144b5734ddc8e9d28390db7f54c47311e3c80ae35c8eea6ef305be810
SHA1 hash: 8da611f0a48340705bfdb53beee386f76ed32e15
MD5 hash: f0c4661ae3bfe9282b8d779669e94890
humanhash: jig-carolina-connecticut-jersey
File name:INVOICE2021.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'583'104 bytes
First seen:2021-05-10 06:59:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:HJKWm+Sb7jaHdfayyDvPuBXfmfgpGxNTM:pvvSf0T79mfDPTM
Threatray 3'865 similar samples on MalwareBazaar
TLSH A275123036CC6A1DC3AE42B2C015C46162F6EF9A5353C66E5BC9571E1B1634ABE333DA
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153749/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/721173
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcabbdbcb25b9663b40e527927ad003ab43726989d5772a9999e4350ca974a6a/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-10 03:07:09 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sv33pfslolghnaokj4spliahk2dojuytvlxfkmztzbvbsuxjjva._file
Verdict:
unknown
Similar samples:
12f249adf9e96719d8999e5ff16ca67fb252cb38edf05851577a564b3044f987
RedLineStealer
22916cd876516df90c959904823fbc25a331cd7f8e70343cc05f4674128f07e1
RedLineStealer
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
RedLineStealer
69da362bf57fa6f564c65d2df60c41c222c23a5296a8f48efe9e2e72ce58373f
RedLineStealer
79cf1acaf9b7a819bb68f28a23ed571a1cb1e517e09e3dde87614829ae7177d8
RedLineStealer
8c35b3d63f5644c97f5e9a1215ac4d9a4486eb78ff8a1410da52fa6853c99bf8
RedLineStealer
cc048d64fe045f9717b0d7f581936d97eac1bdb8af195d08106dca3b48329b34
RedLineStealer
cc4a75a27a80dd0c34ed04f12235a3424715b7c546b530e138b58aaf0af69f90
RedLineStealer
eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae
RedLineStealer
f6f89449abb24af3cfaf23fb4274541b5ee872a16bb9e6c9fe411e8a557000a7
RedLineStealer
+ 3'855 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210510-hzrytc6tx2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Unpacked files
SH256 hash:
dc079b42f77256b86578d3ed180e89ebbc49cf2edbd1328d8a40efae8b3b3d36
MD5 hash:
a513c0ba2f5e0553e5fafcbc7251d336
SHA1 hash:
959abec6005eb72f4c2344be20bcab5e890d048e
Link:
https://www.unpac.me/results/1ddf389b-4adf-4ece-9c5d-73c3bf9c2ec5/
SH256 hash:
dcabbdbcb25b9663b40e527927ad003ab43726989d5772a9999e4350ca974a6a
MD5 hash:
f0c4661ae3bfe9282b8d779669e94890
SHA1 hash:
8da611f0a48340705bfdb53beee386f76ed32e15
Link:
https://www.unpac.me/results/1ddf389b-4adf-4ece-9c5d-73c3bf9c2ec5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcabbdbcb25b9663b40e527927ad003ab43726989d5772a9999e4350ca974a6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153749/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-10 06:59:41 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection