MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f209d0916ddfb26a18d236c030e4cead3691a07e2008964a12b36bf7262ad0d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f209d0916ddfb26a18d236c030e4cead3691a07e2008964a12b36bf7262ad0d8
SHA3-384 hash: 4d8706d21dd8dbf1f3a4bdf47970d67cdb2cf370f5f9210a1ae75f6c9ad581aafcc29d4bd14ecae533bacd1dfef7ad34
SHA1 hash: c44fbbf9ca8f6ab69a4f22e16370915174367c24
MD5 hash: a5fa9b2b71d7d7f7cb9c1440b4b90ec0
humanhash: spaghetti-minnesota-mississippi-echo
File name:a5fa9b2b71d7d7f7cb9c1440b4b90ec0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'474'208 bytes
First seen:2021-08-21 19:42:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ffbb45b6f5c54321e555b15ab01a5aed (1 x RedLineStealer)
ssdeep 24576:agQf8jfctdh6JRDIDJAlPi3278v4ptKvfhvuY4FgIXJNbmPGZtWusXQXbyVVW/DK:pjfk4onOGNIpiWtHszM5tWKHZ2ngJwOY
Threatray 24 similar samples on MalwareBazaar
TLSH T1AD6559B3742D1EB5BBDA1C6790170C0F65B4AC33828FB614B7D46B27C84FE8CA855A16
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a5fa9b2b71d7d7f7cb9c1440b4b90ec0.exe
Verdict:
No threats detected
Analysis date:
2021-08-21 19:46:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/41c39fcf-2edf-4f4f-89e0-3ca20ba41215

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181105/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/125d3e0a-1125-4ee4-8198-763587233e72
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
25 / 100
Link:
https://www.joesandbox.com/analysis/836831
Signature
Contains functionality to detect sleep reduction / modifications
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 469261 Sample: jf6kE4lzRY.exe Startdate: 21/08/2021 Architecture: WINDOWS Score: 25 5 jf6kE4lzRY.exe 1 2->5         started        signatures3 12 Contains functionality to detect sleep reduction / modifications 5->12 8 WerFault.exe 23 9 5->8         started        10 conhost.exe 5->10         started        process4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f209d0916ddfb26a18d236c030e4cead3691a07e2008964a12b36bf7262ad0d8/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-21 19:43:06 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ie5beln36zguggsg3adbzgovu3jdid6eaejmsqswnv7ojrk2dma._file
Verdict:
suspicious
Similar samples:
10a042914c95c1fdd73931407a209f35f5e88d5f73c044112c2d69ba40e5ef50
RedLineStealer
1ea685343aa59dc9e26c132a6fa2f646e8fa64edbb3ca0787465325926e4f96b
RedLineStealer
290a9e12ff38ecfc70608d8f29a6a2de61128e4b1df43c85ad735da4032c32df
RedLineStealer
3a81a90f5208e505850a9c093377b8d4ecceb9b6478abe6b8b1ef601730f1906
RedLineStealer
54deea77c66f31b5b2ae101d942ddc0acd04a146f1dadf85f80034e1f6edd567
RedLineStealer
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
RedLineStealer
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
RedLineStealer
e1d51f402e88ba4bdb8ae2906a6158ef753c50a7eeae7d8bb5d832a8c7492027
RedLineStealer
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210821-swpdqlwcrx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
f209d0916ddfb26a18d236c030e4cead3691a07e2008964a12b36bf7262ad0d8
MD5 hash:
a5fa9b2b71d7d7f7cb9c1440b4b90ec0
SHA1 hash:
c44fbbf9ca8f6ab69a4f22e16370915174367c24
Link:
https://www.unpac.me/results/357a62db-8b61-4c11-92f7-b845872187fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f209d0916ddfb26a18d236c030e4cead3691a07e2008964a12b36bf7262ad0d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f209d0916ddfb26a18d236c030e4cead3691a07e2008964a12b36bf7262ad0d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549206/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181105/

Comments