MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f803cdf82c4a8d157bffbcb2a8cb2e4972c5537a84165dd7b7461ca2d2b14c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 9 File information Comments

SHA256 hash:	0f803cdf82c4a8d157bffbcb2a8cb2e4972c5537a84165dd7b7461ca2d2b14c0
SHA3-384 hash:	06a120a75d745370887d973851f9f5b26a2fbec8f9ed972166c005a45acc8542b4088e40d70c8f8701decf58ee9f2710
SHA1 hash:	2350e8cd92802393ffa7c9472099e11f1d888b0c
MD5 hash:	c388e5ef8ba0b3f92e669571af6da405
humanhash:	georgia-cola-mexico-lamp
File name:	FORECAST_PO 4534213017_4534213019.tar
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'024'512 bytes
First seen:	2024-07-19 07:43:20 UTC
Last seen:	Never
File type:	tar
MIME type:	application/x-tar
ssdeep	24576:mu2Bpe91P+crRV5x3YYniek0WRh8x+9Xgzw:72BA91P+cdTxIYiD0WRh8Bc
TLSH	T1B2252352F0AC0563C99D8EB07CE009932A77DD1275F8C2D9AA9230994FF7FE106A6717
TrID	62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3) 37.0% (.TAR) TAR - Tape ARchive (file) (10/3)
Reporter	cocaman
Tags:	RedLineStealer tar

cocaman

Malicious email (T1566.001)
From: "=?UTF-8?B?U3lsd2lhIFB1xYJ0b3JhayhTeWx3aWEgUHXFgnRvcmFrW+2MkOunpO2MgF0p?= <sylwia.pultorak@slworld.com>" (likely spoofed)
Received: "from slworld.com (216-131-75-250.atl.as62651.net [216.131.75.250]) "
Date: "19 Jul 2024 00:42:09 -0700"
Subject: "New order PO and forecast week 29 / rail shipment"
Attachment: "FORECAST_PO 4534213017_4534213019.tar"

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
204.10.160.140:7001	https://threatfox.abuse.ch/ioc/1302244/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	FORECAST_PO 4534213017_4534213019.exe
File size:	1'022'496 bytes
SHA256 hash:	24738f9d40d5b8b364477a7fe4d85c530ef015b01eb1934361134a1295ef52df
MD5 hash:	4ba2a1c584faade1b11dc0cece9dfea7
MIME type:	application/x-dosexec
Signature	RedLineStealer

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Adware.Downware.20415.22396.29376.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6699dccb56d9cb0e7da8ece4

Tags:

Encryption Execution Infostealer Network Static Stealth Trojan Msil

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/669a19430148e856cd9698dd/reports/20da0045-46e8-4adf-b633-ce52c5aba0cc/overview

Verdict:

Suspicious

Labled as:

Mal/DrodTar

Link:

https://www.hybrid-analysis.com/sample/0f803cdf82c4a8d157bffbcb2a8cb2e4972c5537a84165dd7b7461ca2d2b14c0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

98%

Verdict:

Malware

File Type:

Result

Malware family:

redline

Score:

10/10

Tags:

family:agenttesla family:redline botnet:bigpay discovery execution infostealer keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240719-pg6z6a1amn/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

RedLine

RedLine payload

Malware Config

C2 Extraction:

204.10.160.140:7001

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0f803cdf82c4a8d157bffbcb2a8cb2e4972c5537a84165dd7b7461ca2d2b14c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

tar 0f803cdf82c4a8d157bffbcb2a8cb2e4972c5537a84165dd7b7461ca2d2b14c0

(this sample)

RedLineStealer

exe 24738f9d40d5b8b364477a7fe4d85c530ef015b01eb1934361134a1295ef52df

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 24738f9d40d5b8b364477a7fe4d85c530ef015b01eb1934361134a1295ef52df

Dropping

RedLineStealer

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample