MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189
SHA3-384 hash: 9f0d67353931233d5c0e2e9d3657c254edd38bb4cc534403be17dde162a26388a5e96e7e9424f6ce2b708774aeb1be82
SHA1 hash: 7c6747ffd37ebd058a35320de47d9d67f040e96d
MD5 hash: 0768fd9a6c0344944a223b28eedff41f
humanhash: michigan-speaker-robert-neptune
File name:【下发PPT】汇报PPT模板-中国移动通信集团福建有限公司ppt模板.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'968'714 bytes
First seen:2022-06-10 08:29:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:384l4M9Pb7Tv/lz5sYv7nuJBuw5Jxl3IzIwwL3ajg7A1fF1NudkhBKaolz8x6PGL:3oM577/lzCYvURZ/L3a31fjmkhB0l8Ca
Threatray 1'797 similar samples on MalwareBazaar
TLSH T111D5234B7CC19DB2C56605371729AEA4207DBD205F10CEAFE3A4FA4FAD314C05A29A97
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 30c28c8c8c84ca30 (1 x RedLineStealer)
Reporter obfusor
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0.rar
Verdict:
Malicious activity
Analysis date:
2022-06-10 08:02:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a45dbdcc-3290-4178-ba1a-18036f8607ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278602/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending an HTTP POST request
Launching a process
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62a300f4f944eda443fd45ea/reports/33bb0667-e9d1-4d2c-b873-2802ca996982/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70fc9d9f-eacf-4851-b494-42845f6cf168
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1010676
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-06-10 08:17:53 UTC
File Type:
PE (Exe)
Extracted files:
173
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ny7uyluf275rgt34vfpale7hmrd3v3mmtyw666xjjwelvuzfogeq._file
Verdict:
unknown
Similar samples:
0d2ada23e3ed12fff4c0e31377f1f577bcca7694b73545049a36f443d6c83215
RedLineStealer
3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043
RedLineStealer
41f7f900d07f07c3f6d9d8aba51633b84766f7afe166505ac25a1bc5854f5f4a
RedLineStealer
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
RedLineStealer
cb3685962d9ff91cf33b96743e762ed6216084c7704170beeb2ba69810b9b44a
RedLineStealer
cf0f62c6105ceec3db23af296678feed3ea95d14ff032223d5397c7351cfc9e0
RedLineStealer
e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
RedLineStealer
fcc6991da240e198d58b22894f5eee6f1c0ba2a73774145747fe70be835bd8d8
RedLineStealer
+ 1'787 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220610-kd5wgahbhn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b0c5132390d4c0a2ed0699d32b5973464cce1a92d57591b8311bd05a5dc3a67c
MD5 hash:
1692bab9f7b4b538d630e6d06003a5a8
SHA1 hash:
f90d8aacb4719978e167dfe44a71ba3c0effe418
Link:
https://www.unpac.me/results/cc73f2ba-20eb-4caf-876a-ff2ae4d15a18/
SH256 hash:
6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189
MD5 hash:
0768fd9a6c0344944a223b28eedff41f
SHA1 hash:
7c6747ffd37ebd058a35320de47d9d67f040e96d
Link:
https://www.unpac.me/results/cc73f2ba-20eb-4caf-876a-ff2ae4d15a18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/278602/

Comments