MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fae536169514c5730e6d6d6a582fb988341edd4cc1a62b5a2f172e87dd1708c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fae536169514c5730e6d6d6a582fb988341edd4cc1a62b5a2f172e87dd1708c5
SHA3-384 hash: eb68aadde3e2d5af42648c0baa560e28a93b5858bb5b63bc68d3f38c00bce07fe3e5348db530c8d5407d588e5142f281
SHA1 hash: 3c364c4e900eb1c7802e55277f9503f65b0bbe90
MD5 hash: 93358fd9789f54b5b6b2bcb31a5edd0f
humanhash: arizona-carpet-pasta-music
File name:93358fd9789f54b5b6b2bcb31a5edd0f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:935'080 bytes
First seen:2021-08-22 06:30:08 UTC
Last seen:2021-08-22 07:59:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:2VLFvth+w7GodQpbelTVx/0I0TMOUpiUV0JLFg6JXpqL49frjpNaS0:2vv/Nv+kTr/rNiBg6JZqL49Tc
Threatray 54 similar samples on MalwareBazaar
TLSH T13F15BE1437C88A21C97A02B16D38F4C8EBF999236505A65934CC6EFB1F33BC24797766
dhash icon 71f0c08888c0e070 (9 x SnakeKeylogger, 9 x AgentTesla, 8 x AsyncRAT)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
93358fd9789f54b5b6b2bcb31a5edd0f.exe
Verdict:
Malicious activity
Analysis date:
2021-08-22 06:31:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5cafd6ac-0c3e-4864-8bff-41b6329d6821

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181172/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37377649.24719.30916.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e68062b6-2f4a-4a22-a7cf-7f0aa7fddb63
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/836955
Signature
.NET source code contains potential unpacker
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses powershell Test-Connection to delay payload execution;
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469385 Sample: hPS5W6uwGz.exe Startdate: 22/08/2021 Architecture: WINDOWS Score: 76 34 Google.com 2->34 40 Malicious sample detected (through community Yara rule) 2->40 42 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 2 other signatures 2->46 8 hPS5W6uwGz.exe 3 2->8         started        signatures3 process4 signatures5 48 Uses powershell Test-Connection to delay payload execution; 8->48 11 powershell.exe 19 8->11         started        14 powershell.exe 16 8->14         started        16 powershell.exe 15 8->16         started        18 4 other processes 8->18 process6 dnsIp7 36 Google.com 11->36 20 conhost.exe 11->20         started        38 192.168.2.1 unknown unknown 14->38 22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fae536169514c5730e6d6d6a582fb988341edd4cc1a62b5a2f172e87dd1708c5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 23:02:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
081d4cc20e46574bc49b49558940371ce6b0a037d61ee2915e3a16f588de4eb8
RedLineStealer
2879bac33326dbd49d0af29893f110eab577cdf9f741e025c03dcbdde467028c
RedLineStealer
503daa99af5a571e42bba412296ce3f6e086ce203359cb27f7d04442d10b2999
RedLineStealer
6ffa008d9c18433dfb729075105f7837874da4b96d22c7718f360558f9aeaa0a
RedLineStealer
79e2a3311700e87e6d5e4d5f8e23f8f6b5500aa9e25e71afb016df130f21bae0
RedLineStealer
a024f189799cced8d2b2b164f4cc73b0eb9e12784bc977f182175bb61c17a171
RedLineStealer
+ 44 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210822-7h7km82sxn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
77218aec3c556dacd924d572e8ccceffc5b7b16461c64ddebab4423c873e2ab0
MD5 hash:
613dfd96efb8eb95afcda831369d6e48
SHA1 hash:
65b1a961c63ba4bcfcb7c1ae5024cd5de2b5d836
Link:
https://www.unpac.me/results/929d38c5-08ce-45b9-b396-add9f0de6221/
SH256 hash:
fae536169514c5730e6d6d6a582fb988341edd4cc1a62b5a2f172e87dd1708c5
MD5 hash:
93358fd9789f54b5b6b2bcb31a5edd0f
SHA1 hash:
3c364c4e900eb1c7802e55277f9503f65b0bbe90
Link:
https://www.unpac.me/results/929d38c5-08ce-45b9-b396-add9f0de6221/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fae536169514c5730e6d6d6a582fb988341edd4cc1a62b5a2f172e87dd1708c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PowerShell_Caret_Obfuscation_2
Create hunting rule
Author:Florian Roth
Description:Detects powershell keyword obfuscated with carets
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181172/

Comments