MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9
SHA3-384 hash: 76945f1f7eea104aa859dbc582dc3f4ce2ca2f35d15ff7ff75d33b80bf0bc8011d440b373ff4c4bbd98eb06f198b1ddf
SHA1 hash: 03a6033ef636fa5bbc624151697590cbbed8027f
MD5 hash: 599cc9d7aac0938d4499e7b7cf98b7f7
humanhash: edward-lion-artist-eighteen
File name:e-dekont.xz
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:830'145 bytes
First seen:2024-08-14 11:19:43 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:/GKr3r4XWTAwyc6bpJ8y3grgzYZXi+gsW7v9tzF:+Kzcs67GrgzYZcp
TLSH T1DA0533FD02965DF00323FC39C35632D41DD2D15098EC66BB14B8119C2A6BB97EBDE4A6
Reporter cocaman
Tags:RedLineStealer xz zip


Avatar
cocaman
Malicious email (T1566.001)
From: "=?UTF-8?B?WsSwUkFBVCBCQU5LQVNJ?= <ziraatbank@ileti.ziraatbank.com.tr>" (likely spoofed)
Received: "from [194.169.175.191] (unknown [194.169.175.191]) "
Date: "8 Aug 2024 04:50:25 -0700"
Subject: "e-dekont"
Attachment: "e-dekont.xz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
396
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:e-dekont.exe
File size:1'278'464 bytes
SHA256 hash: eed0adc7ec3cf3642dc35da44606b5c759c7c41b781fbe4aadde44a8b4bdacac
MD5 hash: e60bb21e13d17f680aa51c8cd6cc8aa9
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Detection(s):
Win.Malware.Silentall-10034109-0
Create hunting rule

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b4aad4aa5b40be0a9fdc73
Tags:
Generic Infostealer Network Stealth Trojan
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66bc92e5d07f13198dd2a592/reports/216a0789-ebc0-4c1b-a734-c7658f47ba33/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-08-08 18:58:00 UTC
File Type:
Binary (Archive)
Extracted files:
18
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5d5iolvd5djgvtbb7qmvivlmf7bykxhsejromeqelxcwtrj6xmq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240814-nsbgyszeqf/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Loads dropped DLL
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

zip 2f47d439751f469356610fe0caa2ab617e1c2ae7911317309022ee2b4e29f5d9

(this sample)

RedLineStealer

Executable exe eed0adc7ec3cf3642dc35da44606b5c759c7c41b781fbe4aadde44a8b4bdacac

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 eed0adc7ec3cf3642dc35da44606b5c759c7c41b781fbe4aadde44a8b4bdacac
  
Dropping
RedLineStealer

Comments