MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f40dd6641748b834786cd41cbe281266218d3e5ff56257a30dcafc9c90cee1bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f40dd6641748b834786cd41cbe281266218d3e5ff56257a30dcafc9c90cee1bf
SHA3-384 hash: 5ca7f3a050a7a0bd29eb34f3a7bdc2462bd2dbd61fd2700badb7ef8366f5b9ec09e682cdd6f700213f4e45a240249142
SHA1 hash: 875986300a36f384a5dbcce9d8e15d432dc87912
MD5 hash: 3951f8ad7e0e7682fc0d9d13c9a503c5
humanhash: neptune-emma-pennsylvania-oregon
File name:3951f8ad7e0e7682fc0d9d13c9a503c5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'019'328 bytes
First seen:2023-03-24 06:45:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 49152:crQCvSTb40i4oH2gyBw1ne0a60Os+nEm3oI2FNMy:IlSDI2fQe0ls+EtM
Threatray 2'055 similar samples on MalwareBazaar
TLSH T14C953356A7E04466C2B60370C9F381CA0D313D737B7552BF9751E5BA4E33781AAB23A2
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3951f8ad7e0e7682fc0d9d13c9a503c5.exe
Verdict:
Malicious activity
Analysis date:
2023-03-24 06:46:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29b88e62-d121-451d-9f00-19dd4cec7a79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377032/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.67531.9943.8280.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.MSILHeracles.71936.8001.19372.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Marsilia.29066.692.14798.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74542/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll CAB installer packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/641d472f009023b71dc29b6c/reports/4c3de732-454f-44a2-ad86-0ce0999dfed4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f40dd6641748b834786cd41cbe281266218d3e5ff56257a30dcafc9c90cee1bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2ec5950-868c-4c78-a6a5-339597768bc2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1201014
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 833931 Sample: QOCrQu4j3r.exe Startdate: 24/03/2023 Architecture: WINDOWS Score: 100 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 4 other signatures 2->51 9 QOCrQu4j3r.exe 1 4 2->9         started        13 MicrosoftEdge.exe 9 19 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 file4 37 C:\Users\user\AppData\Local\...\system!.exe, PE32+ 9->37 dropped 39 C:\Users\user\AppData\Local\...\MICROS~1.EXE, PE32 9->39 dropped 61 Creates multiple autostart registry keys 9->61 19 system!.exe 1 4 9->19         started        23 SystemUWPLauncher.exe 6 1 9->23         started        signatures5 process6 file7 33 C:\Users\user\AppData\Local\...\system!.exe, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\PROCES~1.EXE, PE32 19->35 dropped 53 Antivirus detection for dropped file 19->53 55 Multi AV Scanner detection for dropped file 19->55 57 Machine Learning detection for dropped file 19->57 59 Creates multiple autostart registry keys 19->59 25 system!.exe 10 19->25         started        signatures8 process9 dnsIp10 41 154.53.51.201, 49708, 63077 COGENT-174US United States 25->41 43 187.118.5.0.in-addr.arpa 25->43 63 Antivirus detection for dropped file 25->63 65 Multi AV Scanner detection for dropped file 25->65 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->67 69 5 other signatures 25->69 29 powershell.exe 14 25->29         started        signatures11 process12 process13 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f40dd6641748b834786cd41cbe281266218d3e5ff56257a30dcafc9c90cee1bf/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 05:39:36 UTC
File Type:
PE+ (Exe)
Extracted files:
86
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qg5mzaxjc4di6dm2qol4kasmyqy2ps76vrfpiynzl6jzego4g7q._file
Verdict:
malicious
Similar samples:
3b462f4db0471866ee181d9443901bea858dd4cf75fef45cca8ab04dd197e94a
RedLineStealer
62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50
RedLineStealer
65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad
RedLineStealer
6b58715b6f88fa91e2fb481b8640ff8579023e5d586b2964fbeac6f5ec63d5f8
RedLineStealer
6e0a7c7256246dfec4aeeebbfe2e1bf9d1a677a8688017fcf08748aee3ed52b3
RedLineStealer
841c1860b52b3817eed70e4d1f1bca972f0406e666bd8d034735fe70cc713831
RedLineStealer
91317464f677d1408e609d2296203b84cebed70ebc9aec92b51734c52db5bb32
RedLineStealer
cdda25e04fe115e6096cda6bcd6c8d9176ef5e6b6a7a52019aa58e938493413e
RedLineStealer
+ 2'045 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230324-hjmkzaeh2z/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
f40dd6641748b834786cd41cbe281266218d3e5ff56257a30dcafc9c90cee1bf
MD5 hash:
3951f8ad7e0e7682fc0d9d13c9a503c5
SHA1 hash:
875986300a36f384a5dbcce9d8e15d432dc87912
Link:
https://www.unpac.me/results/7903adbc-b0dc-4876-9c0e-22693f97ddfa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f40dd6641748/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/377032/

Comments