MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfe58673321d387512d2604be0b7219ee758f2e717c13b64f6cfd7f7a846339f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	dfe58673321d387512d2604be0b7219ee758f2e717c13b64f6cfd7f7a846339f
SHA3-384 hash:	49dcdc4ad97de27fc12d01569cead021f0714589d6b3b94d39ecc69bf28fd185c87bd67f916f0db0c3f69882a4693b05
SHA1 hash:	90ad160d773b3a27e96e741f4b32514f9ce5f0b3
MD5 hash:	e41a75968f8870dafde82be208250165
humanhash:	pasta-alaska-cat-hawaii
File name:	gimmer_bot_.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'088'232 bytes
First seen:	2021-09-07 06:24:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:5ikCYlpQnnD0vlFznQ4jLYMaGl4EcmZHAFaxmVmie9bngP47iAjwd:5ZCaSnD0vlFznPj+Gl4EcmZHAFaxmVmm
Threatray	725 similar samples on MalwareBazaar
TLSH	T1C035F158369D6721DEE409B1D8DF1C3403B4FF46A6369EAB3E04B29587F3BE26D0015A
dhash icon	1271e8f8dcd47132 (1 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	bitbucket.org exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

gimmer_bot_.exe

Verdict:

Malicious activity

Analysis date:

2021-09-07 06:33:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e03b9e0e-5703-40bb-8820-4cea9d1cdb41

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185897/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET-18.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26a18d5e-a037-4c37-8561-55c41e05776d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/846399

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Changes the view of files in windows explorer (hidden files and folders)

Disable Task List ballon tips (likely to surpress security warnings)

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dfe58673321d387512d2604be0b7219ee758f2e717c13b64f6cfd7f7a846339f/

Threat name:

ByteCode-MSIL.Trojan.Perseus

Status:

Malicious

First seen:

2020-08-15 05:59:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

4047099fa48723c13197f32b1b1c4ca5c450231d1bf8b693df939eb16363f4b0

RedLineStealer

4056d30bee79d6d293ff9e3eaeb493967922bfff0c9ddbd55c0e1c116f775070

RedLineStealer

6fb172bb9c23b3a8067a40f09264c3fa8ecb4f081c659de59560c5d52364d9e9

RedLineStealer

902c278916c230d5e51f24146feb8f7053bdbacaaf60df5399fad2dbccb88d77

RedLineStealer

91d5b0c029a508e2b1926313d9a9cbc3c513ad9be44991fb0954c76bdfd5ce17

RedLineStealer

bbc467be402fa10957b329f79484dd0dfbf30ca52ed4275f0fa2085807786f5a

RedLineStealer

d4e27b8e7e1fd965522468bdc3eaf06513dd3a3e7402d9b441ab002dfc892adc

RedLineStealer

fc98a2d606c58b8d7c318b470a77c342b290d1dea2da32d2f9648cbeddff9143

RedLineStealer

+ 715 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/210907-g6ps6scad3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Unpacked files

SH256 hash:

f484d8bcbf6816808fa24f7fff49b342c300e54db9dbb21df7141f902a5188ed

MD5 hash:

a059cd17f7fd6e3c4cc3a9abfa4c2bfb

SHA1 hash:

e96fe10371bf71638bc2529822c67d9a22bfea5b

Link:

https://www.unpac.me/results/91d672d7-4590-40ad-8bd3-4ae6c3b23ac8/

SH256 hash:

f1081f21f809845fe4497a30bf9eb84153a1c659809f88638eb6ac479d60e3d7

MD5 hash:

de3f1f4529a97d9db103f3abdb9c34c8

SHA1 hash:

93ca0fe7d80058a2bf52b29b39d57074a70c4bbf

Link:

https://www.unpac.me/results/91d672d7-4590-40ad-8bd3-4ae6c3b23ac8/

SH256 hash:

c22ec624753ad0318321bac51b29712848d63bad1e5bb77885231a0e733b4f66

MD5 hash:

d48417cb5c88604dddb985710308c84c

SHA1 hash:

3ebdf98211e00c353e742156ab92441da8770f48

Link:

https://www.unpac.me/results/91d672d7-4590-40ad-8bd3-4ae6c3b23ac8/

SH256 hash:

dfe58673321d387512d2604be0b7219ee758f2e717c13b64f6cfd7f7a846339f

MD5 hash:

e41a75968f8870dafde82be208250165

SHA1 hash:

90ad160d773b3a27e96e741f4b32514f9ce5f0b3

Link:

https://www.unpac.me/results/91d672d7-4590-40ad-8bd3-4ae6c3b23ac8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/dfe58673321d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/dfe58673321d387512d2604be0b7219ee758f2e717c13b64f6cfd7f7a846339f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185897/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample