MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bdc23b87c130d6e77a7e534862c9e3807dccd181ba9f348919a4f24d09c79b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bdc23b87c130d6e77a7e534862c9e3807dccd181ba9f348919a4f24d09c79b4
SHA3-384 hash: 6cf2312a83c97ff3a220535a03a31eb792fca726a6850cd5f2c46490a6dd71c633b1f8c40a12d41ec851105867259103
SHA1 hash: d616ff360cfba6ae6655b82e663f9c1672cfd320
MD5 hash: cd27c2055942d7240ac2f606b2877f48
humanhash: hydrogen-august-april-triple
File name:SKM_C335019110710500.7z
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:632'488 bytes
First seen:2024-05-29 09:07:08 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 12288:FawRVQC0sBx8VUIOvhsYsH/TQL/wlvK4hROo:F+Js8fshslf6wZZPOo
TLSH T18AD423BC895D382896FB3C67C2B270B36C1C5252799C51AF5CB51CCE6CBDB2881A6C1D
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:7z QUOTATION RedLineStealer


Avatar
cocaman
Malicious email (T1566.001)
From: ""Rinku Mishra" <line@srhdworld.com>" (likely spoofed)
Received: "from peppy.srhdworld.com (peppy.srhdworld.com [194.169.172.195]) "
Date: "27 May 2024 17:37:49 -0700"
Subject: "Re: Reminder: Quotation 156305"
Attachment: "SKM_C335019110710500.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:SKM_C335019110710500.exe
File size:1'146'880 bytes
SHA256 hash: 9389de75134803e64539e04f6b4db1081754b829fbb3ae0929bf1040fefc9258
MD5 hash: 544560547ede269dfd2ae2341b58b5d3
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.9784.31722.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Suspicious
File Type:
PE File
Link:
https://app.docguard.net/2bdc23b87c130d6e77a7e534862c9e3807dccd181ba9f348919a4f24d09c79b4/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin packed shell32
Link:
https://www.filescan.io/uploads/6656f07332eca5b28000af93/reports/4f09bb85-ec00-4075-8520-8ca30e3deb9d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2bdc23b87c130d6e77a7e534862c9e3807dccd181ba9f348919a4f24d09c79b4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/2bdc23b87c130d6e77a7e534862c9e3807dccd181ba9f348919a4f24d09c79b4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bdc23b87c130d6e77a7e534862c9e3807dccd181ba9f348919a4f24d09c79b4/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-05-28 00:34:53 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpochod4cmgw455h4u2imle6had5ztiydou7gsertjhsjue4pg2a._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240529-nv5tksdb6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bdc23b87c130d6e77a7e534862c9e3807dccd181ba9f348919a4f24d09c79b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

7z 2bdc23b87c130d6e77a7e534862c9e3807dccd181ba9f348919a4f24d09c79b4

(this sample)

RedLineStealer

Executable exe 9389de75134803e64539e04f6b4db1081754b829fbb3ae0929bf1040fefc9258

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9389de75134803e64539e04f6b4db1081754b829fbb3ae0929bf1040fefc9258
  
Dropping
RedLineStealer
  
Dropping
MD5 544560547ede269dfd2ae2341b58b5d3

Comments