MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7376d32f8171d48ea13d212885e8cb3701913eb054c2431adc9782e465d271e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7376d32f8171d48ea13d212885e8cb3701913eb054c2431adc9782e465d271e0
SHA3-384 hash: 64333b8f6adba6cc055e9ef21f34b87cc46620f1fce2fc0ebc1f0529d145741775ea89b65f67d9fa15c8c182f9e19f0d
SHA1 hash: 3e21b5ec8b768a2685dddfeb2b5f62ed45a7e349
MD5 hash: 1005e19b1ebb8f50e1a8106064d3cd1c
humanhash: georgia-alpha-speaker-asparagus
File name:download.dat.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:315'392 bytes
First seen:2021-07-15 19:06:54 UTC
Last seen:2021-07-15 19:43:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:/KbxCkZW7zy7nzo1NmN8a4jpxE5qrwbjo1:/wCkZW7zy7nzo1NmN8a4jpxE/P
Threatray 1'059 similar samples on MalwareBazaar
TLSH T17A64CB202DFF105DF3B3AE7C5BD875AF596AF7B3260A60B8107186464722A81CDD2739
Reporter James_inthe_box
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Phonzy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172069/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.10665.19744.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c38f0cc-979d-404b-bb92-7dc3f1484e32
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817150
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Service Binary Directory
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449561 Sample: download.dat.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for domain / URL 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Sigma detected: Suspect Svchost Activity 2->75 77 6 other signatures 2->77 7 download.dat.exe 18 8 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 7 other processes 2->16 process3 dnsIp4 65 bakercost.gq 104.21.13.164, 443, 49712 CLOUDFLARENETUS United States 7->65 55 C:\Users\Public\Documents\...\svchost.exe, PE32 7->55 dropped 57 C:\Users\user\...\download.dat.exe.log, ASCII 7->57 dropped 59 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 7->59 dropped 79 Adds a directory exclusion to Windows Defender 7->79 81 Drops PE files with benign system names 7->81 83 Injects a PE file into a foreign processes 7->83 18 download.dat.exe 7->18         started        21 powershell.exe 24 7->21         started        23 powershell.exe 25 7->23         started        25 powershell.exe 7->25         started        61 C:\Users\user\AppData\...\svchost.exe.log, ASCII 12->61 dropped 85 Multi AV Scanner detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 27 powershell.exe 12->27         started        29 powershell.exe 12->29         started        31 powershell.exe 12->31         started        33 svchost.exe 12->33         started        35 3 other processes 14->35 67 127.0.0.1 unknown unknown 16->67 69 192.168.2.1 unknown unknown 16->69 89 Changes security center settings (notifications, updates, antivirus, firewall) 16->89 file5 signatures6 process7 dnsIp8 63 premiumservice.awsmppl.com 194.187.251.163, 49732, 58867 M247GB United Kingdom 18->63 37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 35->49         started        51 conhost.exe 35->51         started        53 conhost.exe 35->53         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7376d32f8171d48ea13d212885e8cb3701913eb054c2431adc9782e465d271e0/
Threat name:
ByteCode-MSIL.Hacktool.Aikaantivm
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 19:06:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
17 of 46 (36.96%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
00668082deeb1c79ed4a3b9cc93bdcb63a49a67dce5f931c0ec4de660a758334
RedLineStealer
089e8696eff20b84e89e801127624dada3b321b0523d45cb648d437af4271716
RedLineStealer
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
RedLineStealer
41ec47ce62f13677c0c4576c97e299471072aa9ade05670ad0aefdbbd9187fca
RedLineStealer
68815fd1b30680f0810f01b9d651b31995e2dbce667d2e2a785eab4c1e56765c
RedLineStealer
74fcf52e21cc888d770d0b11d411a10bf58b17de81d9376856a381f416bf1a39
RedLineStealer
82db91ac779a5be13c8cb0ec1317c294a6447cef309083d19dbc0f661292d362
RedLineStealer
ac2f6be5e15c9c9344043219d8487fdbe92ad443fa23b195b4f4baee5500a5f9
RedLineStealer
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
RedLineStealer
f8292298f2fe8d14012c0c6d4b98ef47d38dfb0e8e359a81fbcfd338d915dfbb
RedLineStealer
+ 1'049 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210715-b3hrmwnn86/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
autoit_exe
Adds Run key to start application
Windows security modification
Windows security bypass
Unpacked files
SH256 hash:
7376d32f8171d48ea13d212885e8cb3701913eb054c2431adc9782e465d271e0
MD5 hash:
1005e19b1ebb8f50e1a8106064d3cd1c
SHA1 hash:
3e21b5ec8b768a2685dddfeb2b5f62ed45a7e349
Link:
https://www.unpac.me/results/d4394238-a826-4481-8212-0670b0cb7cbe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7376d32f8171d48ea13d212885e8cb3701913eb054c2431adc9782e465d271e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/172069/

Comments