MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1c5be0df761f43d265a1e7057f59a05b1f78f3bafabd7a9145fe195fc6db97a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1c5be0df761f43d265a1e7057f59a05b1f78f3bafabd7a9145fe195fc6db97a
SHA3-384 hash: 7b9e2c24d2849e909039f08ba67929f19c7b1d5c16605c69b1428a35327898774ed06102987f7b760b9d331bb802e325
SHA1 hash: 117642af025f90f579f59046a1aa32de25877732
MD5 hash: e787f776e83abef181aee71eaaa8aff9
humanhash: table-dakota-mexico-july
File name:JoinerStub.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'392'640 bytes
First seen:2022-04-16 05:10:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:M97EjQvYxRSiFWAwu4VrF6gRLc/DoyIn6bvtmYHXpWK/6sn/3O2Vr:M97sQvgSi/wu4WgRLuEyInivtmYZWQnp
Threatray 5 similar samples on MalwareBazaar
TLSH T13E5523C92D31491AE452733456E2B2F10FFA6A15E90EE56E244C2351BC48746BCBFE8F
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter adm1n_usa32
Tags:exe RedLineStealer


Avatar
adm1n_usa32
related to d26f2e7bff9dc20de5089820c6412a4dcce98fafc38043d285498097786d8624

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JoinerStub.exe
Verdict:
Malicious activity
Analysis date:
2022-04-14 19:59:25 UTC
Tags:
trojan loader
Link:
https://app.any.run/tasks/130b64aa-8670-49f8-93b7-5bae4ab6c383

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264056/
Detection(s):
Win.Packed.Msilheracles-9943143-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/625a4fe7ffe27d5119e300fd/reports/e6878f52-03b3-49ac-997e-d52ae2c4ae6a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/479c7624-ed44-4ade-a15c-aa926bd42ae6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977601
Signature
Antivirus detection for URL or domain
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Koadic Execution
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610088 Sample: JoinerStub.exe Startdate: 16/04/2022 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 5 other signatures 2->48 8 JoinerStub.exe 8 4 2->8         started        11 FAAGWHBVUU.exe 2->11         started        process3 file4 32 C:\Users\user\AppData\...\FAAGWHBVUU.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\...\JoinerStub.exe.log, ASCII 8->34 dropped 13 FAAGWHBVUU.exe 4 8->13         started        17 EXCEL.EXE 20 17 8->17         started        process5 file6 36 C:\Users\user\AppData\...\FAAGWHBVUU.exe, PE32 13->36 dropped 58 Multi AV Scanner detection for dropped file 13->58 60 Machine Learning detection for dropped file 13->60 19 cmd.exe 1 13->19         started        signatures7 process8 signatures9 50 Uses schtasks.exe or at.exe to add and modify task schedules 19->50 52 Uses ping.exe to check the status of other devices and networks 19->52 22 FAAGWHBVUU.exe 15 3 19->22         started        26 PING.EXE 1 19->26         started        28 conhost.exe 19->28         started        30 2 other processes 19->30 process10 dnsIp11 38 c.tronlink.golf 156.248.77.90, 49740, 80 Africa-on-Cloud-ASZA Seychelles 22->38 54 Multi AV Scanner detection for dropped file 22->54 56 Machine Learning detection for dropped file 22->56 40 127.0.0.1 unknown unknown 26->40 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1c5be0df761f43d265a1e7057f59a05b1f78f3bafabd7a9145fe195fc6db97a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-10 01:18:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
034e8e297165eeb14372eea7a7e68756e561df39b84c5be924e542a36dee7418
RedLineStealer
569afa7798750e707f1705098a4a21a578f35e903969602088af2e03a94a26c5
RedLineStealer
6c5c35c34b7808d48cd428051263c39f70c7beb10a4e426d6e348d52c2cfe53a
RedLineStealer
7c0790ce5a7cfd7a3ab0af70a4766b7003bdf8eb2e366f5c74f609c57c34f4bb
RedLineStealer
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220416-ft9r5sbgbq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5
MD5 hash:
c8d852fb1561658cae72fa498777bfbd
SHA1 hash:
ea689804b69e9e7611059d11eff2fdadd656e6fb
Link:
https://www.unpac.me/results/b479a447-3433-4718-9fa3-af8ddb6f8355/
SH256 hash:
ad776a2feed7584f343b66da65e47f6f42c25f2c56e393cef8dd91e7ff3dd8d9
MD5 hash:
791cdd9dddf917c4623a7284bf7d4a91
SHA1 hash:
8304de7cf69e9651ff5b7d89599e99b4592f482a
Link:
https://www.unpac.me/results/b479a447-3433-4718-9fa3-af8ddb6f8355/
SH256 hash:
f1c5be0df761f43d265a1e7057f59a05b1f78f3bafabd7a9145fe195fc6db97a
MD5 hash:
e787f776e83abef181aee71eaaa8aff9
SHA1 hash:
117642af025f90f579f59046a1aa32de25877732
Link:
https://www.unpac.me/results/b479a447-3433-4718-9fa3-af8ddb6f8355/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/f1c5be0df761f43d265a1e7057f59a05b1f78f3bafabd7a9145fe195fc6db97a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f1c5be0df761f43d265a1e7057f59a05b1f78f3bafabd7a9145fe195fc6db97a

(this sample)

zip d26f2e7bff9dc20de5089820c6412a4dcce98fafc38043d285498097786d8624

  
Dropping
SHA256 d26f2e7bff9dc20de5089820c6412a4dcce98fafc38043d285498097786d8624
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/264056/

Comments