MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fca8a3b741242dff4e66deb713bcc278ad1da6ff219fcae1b98ea23f3640e9ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fca8a3b741242dff4e66deb713bcc278ad1da6ff219fcae1b98ea23f3640e9ca
SHA3-384 hash: 0957d786056aeee2b4893bc9be2982216a307647788669a3db8f48628ee001826f886309494ad55541ee1d72e20040a9
SHA1 hash: 4a7e3435dc2013c4ca0564867d5598f403163dcf
MD5 hash: 1b7a6aadd6da69544aadee4057b2a415
humanhash: winter-glucose-london-zulu
File name:1b7a6aadd6da69544aadee4057b2a415
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:710'144 bytes
First seen:2021-09-11 07:51:18 UTC
Last seen:2021-09-11 10:21:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ssaLQ5GXw8xMN7XiDAU5yGLKlf4EO1q+Ao56Nfwic:uQkCUALGLMcpAo0Nfw
Threatray 439 similar samples on MalwareBazaar
TLSH T1F5E48C3769FA0C05F55A09B00480B330D2B61D96798E8CC3DA8D7A5AD137BEA70DE56F
dhash icon b032cc442c8cb270 (1 x a310Logger, 1 x RedLineStealer, 1 x BluStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b7a6aadd6da69544aadee4057b2a415
Verdict:
Malicious activity
Analysis date:
2021-09-11 07:52:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9529319-1a14-487b-8301-3735d9a74b73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187028/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37562601.1597.9456.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
DNS request
Connection attempt
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Forced shutdown of a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bbae7bf5-a55f-4825-b6a2-d8b4060b5847
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/849100
Signature
Binary or sample is protected by dotNetProtector
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481531 Sample: LmOW6IrAMG Startdate: 11/09/2021 Architecture: WINDOWS Score: 88 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Machine Learning detection for sample 2->53 55 Binary or sample is protected by dotNetProtector 2->55 7 LmOW6IrAMG.exe 15 4 2->7         started        11 cgbr.exe 14 3 2->11         started        process3 dnsIp4 43 www.google.com 142.250.180.228, 49682, 49690, 80 GOOGLEUS United States 7->43 45 google.com 172.217.19.110, 49681, 49689, 80 GOOGLEUS United States 7->45 57 Tries to delay execution (extensive OutputDebugStringW loop) 7->57 59 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->59 13 cmd.exe 3 7->13         started        16 cmd.exe 1 7->16         started        19 vbc.exe 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 21 cmd.exe 1 11->21         started        23 cmd.exe 1 11->23         started        25 vbc.exe 11->25         started        signatures5 process6 file7 39 C:\Users\user\AppData\Roaming\cgbr\cgbr.exe, PE32 13->39 dropped 41 C:\Users\user\...\cgbr.exe:Zone.Identifier, ASCII 13->41 dropped 27 conhost.exe 13->27         started        47 Uses schtasks.exe or at.exe to add and modify task schedules 16->47 29 conhost.exe 16->29         started        31 schtasks.exe 1 16->31         started        33 conhost.exe 21->33         started        35 schtasks.exe 1 21->35         started        37 conhost.exe 23->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fca8a3b741242dff4e66deb713bcc278ad1da6ff219fcae1b98ea23f3640e9ca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 00:24:33 UTC
AV detection:
27 of 45 (60.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
36d0c6d5280a29e061d07ad6eac7236e063ee8023ac398bb6d3f34a3f8aacb83
RedLineStealer
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
RedLineStealer
71f5a0e02cfd97625bfaf4c5e48825b8b08262a7ac89f1b7f8ae82c1200205f8
RedLineStealer
bf40454532296d8028d2cc4be8f68076ee1237d5ee71f1c37736176d209ad8a0
RedLineStealer
cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb
RedLineStealer
cba897dc82a468040a082fd6135edecb8dcdcd0f0fe1375adeaeff3262cc6504
RedLineStealer
f051b1c9df37c1d4236c98b54883d4005572910949a1be18ab6ead13754147dc
RedLineStealer
f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520
RedLineStealer
fce1e5d65d8375a41cd61ec690febb3ca3d2b6745194cc7b0f54727bf48197a9
RedLineStealer
+ 429 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210911-jqez5sbbe7/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
fca8a3b741242dff4e66deb713bcc278ad1da6ff219fcae1b98ea23f3640e9ca
MD5 hash:
1b7a6aadd6da69544aadee4057b2a415
SHA1 hash:
4a7e3435dc2013c4ca0564867d5598f403163dcf
Link:
https://www.unpac.me/results/4bd7eb9b-c525-4b73-af6e-3e58bbd606e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fca8a3b741242dff4e66deb713bcc278ad1da6ff219fcae1b98ea23f3640e9ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fca8a3b741242dff4e66deb713bcc278ad1da6ff219fcae1b98ea23f3640e9ca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1610238/
Cape
Cape
https://www.capesandbox.com/analysis/187028/

Comments


Avatar
zbet commented on 2021-09-11 07:51:20 UTC

url : hxxp://52.47.201.149/R1/Z/PL_52003200112.exe