MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6505adc284a173137ab3198ccdd308fd0620b445e8bb2dc2fa68b7e11537b80a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6505adc284a173137ab3198ccdd308fd0620b445e8bb2dc2fa68b7e11537b80a
SHA3-384 hash: 25df61dc8ec0898b8c497cf0ab71f557956aa3bac93c347425748809e66fef93f8652635fb63120451e2620cec731d8d
SHA1 hash: b7ba6daf7317a2917431793d78b6494d31ef429b
MD5 hash: 40ddbdcca5ac4f4a33ad4f6412ab23e1
humanhash: florida-quiet-johnny-glucose
File name:SHIPPING DOCUMENT_DHL 6167444533_pdf.ace
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:900'212 bytes
First seen:2024-08-22 15:21:33 UTC
Last seen:2024-08-22 15:22:18 UTC
File type: ace
MIME type:application/octet-stream
ssdeep 24576:gah3ca7hg17Y/ANVlaf6dJTw6I1RuKX9wQOKhyREd26hmCPpQrwFk:gahTi7S2r3TDewKNwnKho226BP1Fk
TLSH T1AA153381A09DCEFE3103F56CB655A46B127A7179CCC3C88939F45CD12F291A0A964EFE
Magika unknown
Reporter cocaman
Tags:ace DHL RedLineStealer Shipping


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL | Express Shipping <marketa@fenchem.com>" (likely spoofed)
Received: "from mail.vesti.de (mail.vesti.de [148.251.186.39]) "
Date: "Thu, 22 Aug 2024 15:20:25 +0100"
Subject: "RE: Tracking # DHL 6167444533"
Attachment: "SHIPPING DOCUMENT_DHL 6167444533_pdf.ace"

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.25165.AceHeur.Scr.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Suspicious-ACE-scr.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c7579cb2a4681a72967962
Tags:
Execution Network Kryptik
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/66c7579e0f9197595929a5c2/reports/08719d40-5b88-4bff-85a8-4ebb3fc56799/overview
Verdict:
Malicious
Labled as:
Mal/DrodAce
Link:
https://www.hybrid-analysis.com/sample/6505adc284a173137ab3198ccdd308fd0620b445e8bb2dc2fa68b7e11537b80a
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6505adc284a173137ab3198ccdd308fd0620b445e8bb2dc2fa68b7e11537b80a/
Threat name:
ByteCode-MSIL.Infostealer.Pony
Create hunting rule
Status:
Malicious
First seen:
2024-08-22 15:21:37 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=muc23queufzrg6vtdggm3uyi7udcbncf5c5s3qx2nc36cfjxxafa._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery execution spyware stealer
Link:
https://tria.ge/reports/240822-s8rlbsvfpe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6505adc284a173137ab3198ccdd308fd0620b445e8bb2dc2fa68b7e11537b80a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ACE_Containing_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems) - based on Nick Hoffman' rule - Morphick Inc
Description:Looks for ACE Archives containing an exe/scr file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

ace 6505adc284a173137ab3198ccdd308fd0620b445e8bb2dc2fa68b7e11537b80a

(this sample)

RedLineStealer

Executable exe 2fd59b6b8675f9b08950f510c569cc5848f804f7dbebb8bece8815b30147885c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2fd59b6b8675f9b08950f510c569cc5848f804f7dbebb8bece8815b30147885c
  
Dropping
MD5 efef37bc8db7f5a934537e849b3c1080

Comments