MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7343b3706d03e104cdebd561ec441807a5424d4b48778a1396388c654a5e123c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 8 File information Comments

SHA256 hash:	7343b3706d03e104cdebd561ec441807a5424d4b48778a1396388c654a5e123c
SHA3-384 hash:	4a6da322819021a20b98f2f73f01ba139776bb63a3974cdedf3b5d438ddbc2453395f471803f5e965bf785a4ef97d0b3
SHA1 hash:	7abf9da22e35d13a2ad6a7e7fcf5773bae016bd1
MD5 hash:	a1ed011dcb51f6787c27f09124345fe9
humanhash:	leopard-charlie-five-louisiana
File name:	7343B3706D03E104CDEBD561EC441807A5424D4B48778.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	577'296 bytes
First seen:	2021-08-13 21:15:31 UTC
Last seen:	2021-08-13 21:43:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:+++4fSzkNDYb+iuD6eQpSdYtYZsoL6EAwKM8TE/2H9:O4GysbluueaSatYZGMw1H9
Threatray	1'399 similar samples on MalwareBazaar
TLSH	T1D1C41E03BD4CE311A9E05E3750EE6D3C63E559CA8633520BBF05FDAA24B26859CB136D
dhash icon	6871e0e8cccc8a42 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
194.87.146.179:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
194.87.146.179:80	https://threatfox.abuse.ch/ioc/184781/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7343B3706D03E104CDEBD561EC441807A5424D4B48778.exe

Verdict:

Malicious activity

Analysis date:

2021-08-13 21:17:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/06390ada-c4e1-4471-93f3-2062c43dbe0f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/179093/

Detection(s):

SecuriteInfo.com.Trojan.MSIL.Reline.ic.6936.22792.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Creating a window

Sending a UDP request

DNS request

Connection attempt

Sending an HTTP POST request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/109bddd3-0f9a-426b-907e-9c9efd70af48

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/832669

Signature

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7343b3706d03e104cdebd561ec441807a5424d4b48778a1396388c654a5e123c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-05 22:05:23 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=onb3g4dnapqqjtpl2vq6yraya6suetkljb3yue4whcggkss6ci6a._file

Verdict:

malicious

RedLineStealer

116f9376345bff871a74ae9878f51caa3b4487143ff1e321ceb9a2a84bc96d7a

RedLineStealer

20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3

RedLineStealer

397e2b5da2c8a13a8eafd1d05a6a320fdb9c18d90811787ec4383531e683f2ba

RedLineStealer

510d3eadc5652908d47db79067009b04cf4e9234720f052e90cc7d18ffad0b20

RedLineStealer

619f3111ecda81c05a1caa5d84be3bd13afd54439610738637615da53418922a

RedLineStealer

7ae4b1290aa4d0f4f7985604c7ab31f82ee88f15e1a94042723ecc45f141da46

RedLineStealer

987540db2502a6f2264ecd208ff0bd4cc30fd4dd96ce8829d6d537660b7f2826

RedLineStealer

98b74ea068218a325878848a9631ccabf943ca0ac0a0ff435b6ed276d806c72b

RedLineStealer

bae19f194f0d4d760e6dd07ce9e806d052d7dfcaa11c7dd15523b6967e2c9d22

RedLineStealer

+ 1'389 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:22 infostealer

Link:

https://tria.ge/reports/210813-yfqgj56l5x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Malware Config

C2 Extraction:

GAMELABPRO.CLUB:80

Unpacked files

SH256 hash:

bbe71ea4d96f97dd01747ab6b8bb67aebbeaf246c1ea3d90cee53d117c480941

MD5 hash:

ed215beb149451d301ade79466135379

SHA1 hash:

feffa0bfc6305273c5a0fa78cfa777085f0990e7

Link:

https://www.unpac.me/results/ecd2762b-a652-4889-9c7a-f58a0e48caf1/

SH256 hash:

609984839a4c6a3d5ec455929816429f37879a5535191fe9f3bdf55973b1fcf5

MD5 hash:

c7f4ecad96a30fd660484b49439904bb

SHA1 hash:

13b60f60b5b4e4bf67c99272fde121b3f677132e

Link:

https://www.unpac.me/results/ecd2762b-a652-4889-9c7a-f58a0e48caf1/

SH256 hash:

7343b3706d03e104cdebd561ec441807a5424d4b48778a1396388c654a5e123c

MD5 hash:

a1ed011dcb51f6787c27f09124345fe9

SHA1 hash:

7abf9da22e35d13a2ad6a7e7fcf5773bae016bd1

Link:

https://www.unpac.me/results/ecd2762b-a652-4889-9c7a-f58a0e48caf1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7343b3706d03e104cdebd561ec441807a5424d4b48778a1396388c654a5e123c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179093/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample