MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8
SHA3-384 hash: 478f751de8d00df9c92e88320e97d51da5a262c494647748de4ee8eb96ba9a6a791783f9971e3c221bc10d8a0acc5b92
SHA1 hash: fed51c91bcdc8cb6d6b3536933fab3850eda8e6c
MD5 hash: 01ccd9af5bfa080e7c5ae38f2885d1b9
humanhash: magazine-lemon-angel-ack
File name:01ccd9af5bfa080e7c5ae38f2885d1b9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'194'304 bytes
First seen:2023-08-13 07:55:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:aQBLoFR9Rquf0AH998WuqW+T0PcQEaUwjDdW4QAHx1qGTp0H/urYBqRr:xLi2ucIsrY0EwjZW4Pxrr
Threatray 249 similar samples on MalwareBazaar
TLSH T10816AE01F27A92D6EE320FF45D057C922E9869FCE4B4980E2CFF165F26B1671502E993
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71e0d8acb4dce871 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01ccd9af5bfa080e7c5ae38f2885d1b9.exe
Verdict:
Malicious activity
Analysis date:
2023-08-13 08:08:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2458b699-83d5-466a-8aad-6e639a6170d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442489/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.60031.21366.10278.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending a custom TCP request
Creating a window
Sending an HTTP GET request
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ClipBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d935c6b3-ed92-4677-a899-a80ce23ce7b2
Result
Threat name:
Redline Clipper
Create hunting rule
Detection:
malicious
Classification:
spre.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290641
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Yara detected Redline Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290641 Sample: E7NO2KOavR.exe Startdate: 13/08/2023 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Antivirus detection for dropped file 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 7 other signatures 2->38 7 E7NO2KOavR.exe 3 2->7         started        10 tskutil.exe.exe 3 2->10         started        process3 signatures4 40 Bypasses PowerShell execution policy 7->40 42 Injects a PE file into a foreign processes 7->42 12 powershell.exe 14 7->12         started        16 E7NO2KOavR.exe 2 7->16         started        18 E7NO2KOavR.exe 7->18         started        24 2 other processes 7->24 20 powershell.exe 11 10->20         started        22 tskutil.exe.exe 2 10->22         started        process5 file6 30 C:\Users\user\AppData\...\tskutil.exe.exe, PE32 12->30 dropped 44 Drops PE files to the startup folder 12->44 46 Powershell drops PE file 12->46 26 conhost.exe 12->26         started        28 conhost.exe 20->28         started        signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8/
Threat name:
ByteCode-MSIL.Trojan.Marsilia
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 14:42:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bsgkp5uwlkghfq2677dengagsqgru4c6dpr5lng44eq3r6crdea._file
Verdict:
malicious
Similar samples:
12acc28c683190195fccfea230f47491c084d01f5d5fa975ba82135e1d0c8fa7
RedLineStealer
2f5d5ebb1081dde3e9314ebbc61466f3686361d356f881533725d6fbf0002aa8
RedLineStealer
34cd4efd5b358e557b88e0cc4a3bb16019664d074ee0c9b895ad49c44b2ce2da
RedLineStealer
7ce7eb7e7253f514a68eb5e5c6e8690722bea15384f5f58202394b6a74f785dd
RedLineStealer
7d6bc9c488ef81546e89c929a34e3d067ff083599c80edad38987fd0771cfe4a
RedLineStealer
8776ab0754e874c4850f80bd4b455ee1f55c3be6e44d307edfd3b1efa58d257b
RedLineStealer
aa0f96be29bd7888fdbd195fb56e741aad5f13b9a1df4a7e74a085924240f597
RedLineStealer
c3605d9a7e5cd2f57b09f4e5721b9817df3803e113d10cf8a70859cb73d02e3d
RedLineStealer
c7c98357e83930e3cecf3ba9697aadb42541de1e7c9a143c30a93c16fe4b63d7
RedLineStealer
e09931997c18281c3a4cb81710b11a2924ed9617e60106fccdc2d6564b81e40e
RedLineStealer
+ 239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230813-jspx5ahg62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/8677bc2f-fcd9-4d0d-9d4a-779037a38da2/
SH256 hash:
65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3
MD5 hash:
848b847cd19805d19235b5acb8ef2bef
SHA1 hash:
38100751a4ae45a143232cbacf9bb441b31fb211
Link:
https://www.unpac.me/results/8677bc2f-fcd9-4d0d-9d4a-779037a38da2/
SH256 hash:
f20c5d1b6433dd3567851ccfb36b65d892114de4cf679773121227f59ba34877
MD5 hash:
5c7cf17d24cd1a4e4fcc02683fc99890
SHA1 hash:
0bef882c3891dab7e16c990e816e62bb53adaac4
Link:
https://www.unpac.me/results/8677bc2f-fcd9-4d0d-9d4a-779037a38da2/
SH256 hash:
f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8
MD5 hash:
01ccd9af5bfa080e7c5ae38f2885d1b9
SHA1 hash:
fed51c91bcdc8cb6d6b3536933fab3850eda8e6c
Link:
https://www.unpac.me/results/8677bc2f-fcd9-4d0d-9d4a-779037a38da2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2690743/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/442489/

Comments