MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5fa48dcc0604fb10d844d476df30106684af28205a7c150142e0b3bf4ef8687. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 20 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5fa48dcc0604fb10d844d476df30106684af28205a7c150142e0b3bf4ef8687
SHA3-384 hash: c0c778e5b49b26ae4e996d4ac266dc97316df5c159aa71680e1a64c3225bb9f9b12e46bb44b94d537e1495f045e73ac3
SHA1 hash: 34aabee3b17901fb696ebf1f945b9ce9ee1e8bd5
MD5 hash: 8828e16622a493427575646994686d97
humanhash: stream-bravo-idaho-bacon
File name:8828e16622a493427575646994686d97
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'142'272 bytes
First seen:2023-09-13 05:51:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 24576:Ok70Trc7JD0DwSH42S/1jaosRQDC81CESZbto6AIHEZP5X6PTOLeQX:OkQTA7JD0DwM4/N2oO91Ey2hCqX
Threatray 1 similar samples on MalwareBazaar
TLSH T19135223170D0C1B3D0376879C8D6EBFA0A6575664B69A0D3B3AD07B65E213F2A3351CA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8828e16622a493427575646994686d97
Verdict:
No threats detected
Analysis date:
2023-09-13 05:54:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5521c09c-2f14-4510-aea2-4f26d87a1e00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448303/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sending a custom TCP request
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin net_reactor packed packed
Link:
https://www.filescan.io/uploads/65014e03b572d5a2189b0f3b/reports/5bc0e6ad-aed5-401a-8f5e-12a9a7c0fcf5/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e5fa48dcc0604fb10d844d476df30106684af28205a7c150142e0b3bf4ef8687
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/390874e6-cf08-4656-876a-93b40a39d23c
Result
Threat name:
FormBook, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308399
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Writes to foreign memory regions
Yara detected FormBook
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5fa48dcc0604fb10d844d476df30106684af28205a7c150142e0b3bf4ef8687/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 05:52:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4x5erxgambh3cdmejvdw34ybazuev4ucawt4cuaufyftx5hpq2dq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
fa7b173ac1477fca66559947e5989ce2747465e1715f4d6a1e0bbcc72259ca58
RedLineStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230913-gkqtcahg3w/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c5b1c8aac2b2a009deb2deed9a17c04046a74d86c42f34e28094f57b9a0f563b
MD5 hash:
d81523072bc1dbf30a3ccaa3c1cfcbbc
SHA1 hash:
182f23c971b47ab91e3e2a9a5e7d950b4ede4a19
Link:
https://www.unpac.me/results/97337d6b-8f09-452a-a356-812503ecd8ca/
SH256 hash:
aab675e1d0de07a27ab2d187b58eea08dd380dd5514045e64e2518a4b6451911
MD5 hash:
1ac716dc61a301dbc7f1e92d91ae601e
SHA1 hash:
0ee83cd50b71cbdbb7f97de4e5960c564d30cd24
Link:
https://www.unpac.me/results/97337d6b-8f09-452a-a356-812503ecd8ca/
SH256 hash:
fef39094c3a35fe0b3bdeabbd4807829a6c0b42ebcc57ff780463b025d976534
MD5 hash:
e6cb0f89fe1e8b0836df1b8889b4be4a
SHA1 hash:
96a071c7788b7d0e35a24f864d38075ba0a85f53
Link:
https://www.unpac.me/results/97337d6b-8f09-452a-a356-812503ecd8ca/
SH256 hash:
4a9428bc976a089ab0ecc4dadcfb1beb55f709f8347f992e6248d613d41d3649
MD5 hash:
2711fd9e5399536938a6bd31861262b3
SHA1 hash:
5e05a87bf573dd40ac24416d4c4d1ed6bf008946
Link:
https://www.unpac.me/results/97337d6b-8f09-452a-a356-812503ecd8ca/
SH256 hash:
5c03d43bf03feb867d7738b2697d9d44fe09fc2d97e681559f09cfa998ec0d77
MD5 hash:
2a048a7d6c0dab891aa81ee249bbb9a6
SHA1 hash:
15d6a9b88b85eca7671c3b337347badedb12931e
Link:
https://www.unpac.me/results/97337d6b-8f09-452a-a356-812503ecd8ca/
SH256 hash:
e5fa48dcc0604fb10d844d476df30106684af28205a7c150142e0b3bf4ef8687
MD5 hash:
8828e16622a493427575646994686d97
SHA1 hash:
34aabee3b17901fb696ebf1f945b9ce9ee1e8bd5
Link:
https://www.unpac.me/results/97337d6b-8f09-452a-a356-812503ecd8ca/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5fa48dcc060/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5fa48dcc0604fb10d844d476df30106684af28205a7c150142e0b3bf4ef8687

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e5fa48dcc0604fb10d844d476df30106684af28205a7c150142e0b3bf4ef8687

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448303/
  
URLhaus
https://urlhaus.abuse.ch/url/2711382/

Comments


Avatar
zbet commented on 2023-09-13 05:51:26 UTC

url : hxxp://194.180.49.211/D/rain.exe