MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 348758aaf60d10dbfcd33dce94ece0d410833997ea45e912f6e08936b7c54dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 348758aaf60d10dbfcd33dce94ece0d410833997ea45e912f6e08936b7c54dc1
SHA3-384 hash: d0cbb49e07b82519ef740fdae0aaf4e2d99134672b320d5634fcb6cf08a4a6244d4b69e99f6509d79341ce2633ecce86
SHA1 hash: d0093eb5c90918c919aeb90af3d04ffd33e92742
MD5 hash: 66acccf07ccd9fa04d1330c845ca743b
humanhash: kilo-mockingbird-jersey-grey
File name:764WG00FpC8I0TH.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:590'848 bytes
First seen:2021-10-01 14:24:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:GzhWo0bQ+X8+UiDLbRHah7khP6WoQY7a28f/cl83J+ljRa3:jbQ+X8+UiDLbRHah7kdsx7a2C/IqJ+pK
Threatray 1'171 similar samples on MalwareBazaar
TLSH T1D5C46A68E22FE769FD1923F0253CFCD015F82A69247CF927BE9650E23489E3051B0697
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
764WG00FpC8I0TH.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 17:55:03 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/6ba36c8a-85ce-4764-aa07-86a77c58c65e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194016/
Detection(s):
SecuriteInfo.com.Variant.Fonctuzim.1.13267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed01ac08-134e-4ce6-bd01-5d6c40eb38a5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862756
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/348758aaf60d10dbfcd33dce94ece0d410833997ea45e912f6e08936b7c54dc1/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 11:40:27 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsdvrkxwbuinx7gthxhjj3ha2qiigomx5jc6sexw4cetnn6fjxaq._file
Verdict:
malicious
Similar samples:
164eb7d59814f46e7dcdb45b29a24651aa70fe5be898e3da1857eb0e912255c1
RedLineStealer
2757283204541417f05f64637d4313b9580b47a867ca14bc0728665ef043fff8
RedLineStealer
28d365d0bf668ea41521237a106c5ad34b280ec1cbfc2b6a5d39ec82b72e3d2f
RedLineStealer
3c2d13bed08fb1f1161870188f6e3bd192ff27f6d7d4ec51e81ba984cbab90e8
RedLineStealer
470f6539b8ee00569951c0d37d02afe1b7dab5c57e3a9279ea3a18d399e47e82
RedLineStealer
558c85e2b7da5f09f5207380878f37bec4b3437b8717fd3215f1d37a9894d8d6
RedLineStealer
629e9ec1106e34b10209da91c1394d15c7c0ed2a5f71553c7d00a4836bd91c03
RedLineStealer
7a9c56075abcdbf871f11581ec725fb7794fefc3cb7087bacf1d48a3aabb035a
RedLineStealer
8613eb4859c1db523505c3814aa707ec65928adef641985045eb68e479c4dfeb
RedLineStealer
f260c80e685986ac80122c63fcc494891baf4d688668da8f7fa11e38d7f8d1b8
RedLineStealer
+ 1'161 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/211001-rrbccacaa7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
8284626bb324db0a4b2516f9b5dc1da92a26e6315f7a2fe771079a99021125fe
MD5 hash:
eaddb22aa4c81beb01cd9f45fb47809c
SHA1 hash:
dca3c2c7c76f332ad5cf31ab7be227de4e0aa6c8
Link:
https://www.unpac.me/results/793f7093-1995-4214-a836-1e0151187e85/
SH256 hash:
aaba88bdfb875a4bca942d20386fbbd97999fb90586c0258c003d74f05c12da7
MD5 hash:
7708a89a4620a2777ac88e4e578ff837
SHA1 hash:
549b188922ab71b7f07cbb847cf753578a1d73f5
Link:
https://www.unpac.me/results/793f7093-1995-4214-a836-1e0151187e85/
SH256 hash:
48490b9a92cd09f773d11dc1201617b137678c23f3a54dcb9c83d83de3a3b169
MD5 hash:
4b068af6555d62c9f316e46a5855d1e3
SHA1 hash:
15032a8b865d49dd6860f6e651be1585d099735a
Link:
https://www.unpac.me/results/793f7093-1995-4214-a836-1e0151187e85/
SH256 hash:
f9cdc94440766f0afca53d08732725e5eb5be0414337f930abba67ac0a2fd207
MD5 hash:
68274d19e239b6a653c4fb43b0ef7887
SHA1 hash:
00684f7690b39c87792ec0ecc0230351e74e59ec
Link:
https://www.unpac.me/results/793f7093-1995-4214-a836-1e0151187e85/
SH256 hash:
348758aaf60d10dbfcd33dce94ece0d410833997ea45e912f6e08936b7c54dc1
MD5 hash:
66acccf07ccd9fa04d1330c845ca743b
SHA1 hash:
d0093eb5c90918c919aeb90af3d04ffd33e92742
Link:
https://www.unpac.me/results/793f7093-1995-4214-a836-1e0151187e85/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/348758aaf60d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/348758aaf60d10dbfcd33dce94ece0d410833997ea45e912f6e08936b7c54dc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 348758aaf60d10dbfcd33dce94ece0d410833997ea45e912f6e08936b7c54dc1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194016/

Comments