MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa
SHA3-384 hash: b60b90b0c92fbd306fd9f66f31831fa61a397a3446b10b7479cc130a1eff8d235002e959519b08e177ad0730c028e14b
SHA1 hash: c0c9bfd7c083fa5787dd0d3d7bdedd1641cfd07d
MD5 hash: a1f0fcdcbe97f316664430c02ab75c5b
humanhash: equal-diet-bacon-triple
File name:a1f0fcdcbe97f316664430c02ab75c5b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'594'528 bytes
First seen:2023-12-15 21:16:40 UTC
Last seen:2023-12-15 23:18:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 98304:VnkDFt58Pz9G8phd0Xnx0sBQMEDN7pu+/qQxo:2DFt5E4Ghd+vBBO7u+yQxo
Threatray 264 similar samples on MalwareBazaar
TLSH T1DA469E0AB660DB23C14D1537E2D5641853F3D996A313E70B3B9437396D833EE4CAA9CA
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8e2eae6b696c6cc (4 x CobaltStrike, 2 x Adware.Generic, 2 x ValleyRAT)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:ActiveReports RDF document API
Issuer:ActiveReports RDF document API
Algorithm:sha512WithRSAEncryption
Valid from:2023-12-10T16:06:41Z
Valid to:2025-09-10T00:00:00Z
Serial number: 676e20ee07fcc949aa7e957832b7bdab
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 334dae18975b4bd4fb9969b2082c4c0f9d126fc484719de39784369c960524cb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467773/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.31619.19540.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
DNS request
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/657cc2546b1c246046f5a230/reports/be509dd2-b301-4b7f-a1c1-35b847e16816/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7cad2efe-39c2-4ffd-b29a-6cc8b716e264
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1363038
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ka2772osocthqnnwbw5cd7uvckzghm6bahrfafjhmdpi6hu675a._file
Verdict:
suspicious
Similar samples:
88fc7a22979f23640d55e18fd516d6c46e7bfcea1c4e563fe3d51821675ea450
RedLineStealer
952e0e0ade47380a9bddfc173746aafb755a3a5f7739150f73f6f7fab26b2305
RedLineStealer
b20090678b857d6b8638ed5db42de49a8be60f8169e6affb12e1a40b1d295f87
RedLineStealer
b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16
RedLineStealer
d875c707ceefaf84fb734255de554e060f464cdd75c878bc247eb13ef630cbb7
RedLineStealer
dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635
RedLineStealer
+ 254 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat rat trojan
Link:
https://tria.ge/reports/231215-z41rrshchr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
SectopRAT
SectopRAT payload
Unpacked files
SH256 hash:
63366bb58836a4d9fc6a7fb5632ce6aeb52fd2ec57ea5d766b27bfedf7b7deee
MD5 hash:
a6810a5899b5a89ee483c9e94dacb015
SHA1 hash:
c787d081f7534936636b17d94ecee651fd64fdac
Link:
https://www.unpac.me/results/dcc24564-8086-4dd5-91be-ea4514bd35b3/
SH256 hash:
6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33
MD5 hash:
f45c1512d5a47375e6e396b4d1111e58
SHA1 hash:
8af036b8c60d10e85cf82212930bb04bc0553f36
Link:
https://www.unpac.me/results/dcc24564-8086-4dd5-91be-ea4514bd35b3/
SH256 hash:
3ef6b85ea5ec21e5edf64014b40051a5837294c4e29684a358804d0e2c90c2b3
MD5 hash:
ff60060d1bc257fb3c4e12836e74e6dc
SHA1 hash:
798532ae880ab7391ab18bc5a501940a6f593b65
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
MALWARE_Win_Arechclient2
Create hunting rule
Link:
https://www.unpac.me/results/dcc24564-8086-4dd5-91be-ea4514bd35b3/
Parent samples :
e224cf62b3916d128263b2d89824c79604b9c6b952dd07fb5fac91c310455303
5cd13e830ecb34ff0e2c6724fd992894877b9f90e9c372ea33b838463aee9127
0a9063ffb0478d1a4b1a5c488bbdbf0cc123c809616c298912e1814829842ba7
444508be1be95c1021a6ca5b9a4d2a9258ed33bd618056fee1eee55c8e680c8e
64beacb434f1a35e311bc9ca5d2ab0ceb7503e82480586bef81dd2e49682e166
43f7af9ab1cdbff70ce7f73276e24d7962b1cb08dba091150253cf7bb3f7b1cf
b8d01439a08065161b39868550c5c2b1a7fa1f0f0a36f1e4d91fd64291e1f372
88fc7a22979f23640d55e18fd516d6c46e7bfcea1c4e563fe3d51821675ea450
213675cdf16663b2661e0f0c449517c2e23713e63808177b641dbab27fc032c5
db5f416acc4243295f031543dbed821c6a762629f3390a79a111636d6ee863d1
40e0390907800d79b2f57deb9599870a1d0ea9af24be64a94856fe0f9c3a1953
90efd864e5cad2f352f3559bfc0c78077a1b8c89d56cc7eb7125940ab279539a
952e0e0ade47380a9bddfc173746aafb755a3a5f7739150f73f6f7fab26b2305
fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa
fd927c3c6a733cab18a4f657a605682c6d043728442d0d2fe4dd1d464fb0d7ec
4c3d32802b5c9e6ff309644a163e673631bf57f04537bee4bc2180164f2261d4
c28fec56c0556cc3856f3926e7fc2418c332117ae076f1f95483b42e17af4554
95d6d6f5a0983971c8a5a9104f2b34729e8e764febb8e520c0576de86f17c6c8
f04ec349c272ef8dd201d0f22202c81c893f63281215233d28325f7149055300
SH256 hash:
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
MD5 hash:
544cd51a596619b78e9b54b70088307d
SHA1 hash:
4769ddd2dbc1dc44b758964ed0bd231b85880b65
Link:
https://www.unpac.me/results/dcc24564-8086-4dd5-91be-ea4514bd35b3/
SH256 hash:
95982df9d5d0765b98781d7db9ba95044ba469ee27484cbadc016e68adc2276e
MD5 hash:
c14b7d4a63dd60ca84766cd59c28fd3d
SHA1 hash:
0a2b0c28ecce62af13898af0d2f5fcde9b99a6c1
Link:
https://www.unpac.me/results/dcc24564-8086-4dd5-91be-ea4514bd35b3/
SH256 hash:
fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa
MD5 hash:
a1f0fcdcbe97f316664430c02ab75c5b
SHA1 hash:
c0c9bfd7c083fa5787dd0d3d7bdedd1641cfd07d
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/dcc24564-8086-4dd5-91be-ea4514bd35b3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa81afff4e93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fa81afff4e938533c1adb06dd10ff4a895931d9e080f1280a93b06f478f4f7fa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2736337/
  
URLhaus
https://urlhaus.abuse.ch/url/2733618/
  
URLhaus
https://urlhaus.abuse.ch/url/2738927/
  
URLhaus
https://urlhaus.abuse.ch/url/2735280/
Cape
Cape
https://www.capesandbox.com/analysis/467773/

Comments


Avatar
zbet commented on 2023-12-15 21:16:41 UTC

url : hxxp://185.172.128.160/hv.exe