MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
SHA3-384 hash: fce7b3adebb0edf748bfc52528cd735926f421d776a9497a956a2bd24908db9172dd5c5071a0d55af6f06db94e57c272
SHA1 hash: 769b150e219c7e8d7221f7a0f0ba6ef617fd036d
MD5 hash: 3082e7832f7a31397990d4d3ae4c75c9
humanhash: uncle-orange-august-one
File name:3082e7832f7a31397990d4d3ae4c75c9
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:518'016 bytes
First seen:2023-09-16 09:56:52 UTC
Last seen:2023-09-16 11:56:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:Y52GLrQ8WKhR14o4XQQDTpXIvh+TodRV64apJN9wLOM21H:2DLrPWKhR1Ul45+TsX64a2iH
Threatray 17 similar samples on MalwareBazaar
TLSH T127B4CF9837A25696D4BF1F740572E2948779FCD39A2183CA218331DE0EB2640FB54F7A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 16c8d8bcbcd8c816 (4 x DarkTortilla, 2 x RedLineStealer, 1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
3082e7832f7a31397990d4d3ae4c75c9
Verdict:
Malicious activity
Analysis date:
2023-09-16 09:57:39 UTC
Tags:
redline stealc stealer loader
Link:
https://app.any.run/tasks/eafbb599-175d-4c06-a2b3-146b1b2c69c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449012/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.20948.6274.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed packed replace
Link:
https://www.filescan.io/uploads/65057bef33582f234ef8afa1/reports/e779bb33-f7ee-4fbe-adb9-d4feff309eef/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebb01289-2064-4b56-8a5b-dce702d1d76a
Result
Threat name:
RedLine, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309412
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309412 Sample: 890Qwg1EDv.exe Startdate: 16/09/2023 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 12 other signatures 2->43 7 890Qwg1EDv.exe 15 3 2->7         started        process3 dnsIp4 27 logpasta.com 188.166.57.133, 443, 49710, 49722 DIGITALOCEAN-ASNUS Netherlands 7->27 29 www.logpasta.com 7->29 53 Writes to foreign memory regions 7->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->55 57 Injects a PE file into a foreign processes 7->57 11 AddInProcess32.exe 14 3 7->11         started        15 AddInProcess32.exe 1 16 7->15         started        17 AddInProcess32.exe 7->17         started        19 AddInProcess32.exe 7->19         started        signatures5 process6 dnsIp7 31 www.logpasta.com 11->31 33 logpasta.com 11->33 59 Writes to foreign memory regions 11->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->61 63 Injects a PE file into a foreign processes 11->63 21 ilasm.exe 5 11->21         started        35 85.209.11.51, 49732, 80 SYNGB Russian Federation 15->35 65 Tries to steal Mail credentials (via file / registry access) 15->65 67 Found many strings related to Crypto-Wallets (likely being stolen) 15->67 69 Tries to harvest and steal browser information (history, passwords, etc) 15->69 71 Tries to steal Crypto Currency Wallets 15->71 signatures8 process9 dnsIp10 25 45.142.122.192, 16503, 49733 DE-FIRSTCOLOwwwfirst-colonetDE Russian Federation 21->25 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->45 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->47 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 51 Tries to steal Crypto Currency Wallets 21->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740/
Threat name:
ByteCode-MSIL.Spyware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-15 18:41:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofxwg6omgkx3apxsmonrjyzljx2vhc4zxbg27y2vwopysnhhy5aa._file
Verdict:
malicious
Similar samples:
0cd41ce6482bced75d2d9e9ed1395b7ef2abc8d76c6a1ffdfd0f72193719f282
RedLineStealer
86d03db5bc38058981a38f02f81530fd8fabb10d2911377ecdee221cc525c63a
RedLineStealer
9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d
RedLineStealer
b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3
RedLineStealer
d87502f99648aac5100598129fd31648afb3dce99bfaf4274dce3997c1bfa6d7
RedLineStealer
e007c47e0d8481bc55c96cf726690770e50211b8087b4674f9dee04f51bc6a17
RedLineStealer
e54f49d1acb2f52c5a889249ec33b5d56135140013b749c920cc53dc461682a6
RedLineStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:redline family:stealc infostealer spyware stealer
Link:
https://tria.ge/reports/230916-lyxk9sce48/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
RedLine
RedLine payload
Stealc
Malware Config
C2 Extraction:
http://85.209.11.51
Unpacked files
SH256 hash:
716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
MD5 hash:
3082e7832f7a31397990d4d3ae4c75c9
SHA1 hash:
769b150e219c7e8d7221f7a0f0ba6ef617fd036d
Link:
https://www.unpac.me/results/84ecd56c-c09c-4529-a3dc-1535bae5a81a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/716f6379cc32/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712019/
Cape
Cape
https://www.capesandbox.com/analysis/449012/

Comments


Avatar
zbet commented on 2023-09-16 09:56:52 UTC

url : hxxp://h170703.srv22.test-hf.su/172.exe