MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7918e6ed1823254990f59d6015d43cae2f3cccad92e725aa9b2a0f294dc08b61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	7918e6ed1823254990f59d6015d43cae2f3cccad92e725aa9b2a0f294dc08b61
SHA3-384 hash:	57281496ad4cc9ab6c01855af79495305226425a7e25c5124fd375324cfd5c9180de5636552301655b9777b6a320a407
SHA1 hash:	e3fbb5cf858bba309f6610a7c118097d14bfcfa1
MD5 hash:	67d05b59a14493bbe952ed4b8b5f9f18
humanhash:	eleven-snake-mexico-virginia
File name:	67d05b59a14493bbe952ed4b8b5f9f18
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	32'768 bytes
First seen:	2020-11-17 12:04:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:k3XBp5YPHsxzzX3u7FIfOZURlDCd0a2DqdEE4tqCf/h:khp5EshzX3u7FjMlAXiENA
Threatray	205 similar samples on MalwareBazaar
TLSH	9FE21710F3E88AB5C1EB4B7414F18A2907B6F2561903DB6E6ADC21D85EF37D04B527A3
Reporter	seifreed
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

1

# of downloads :

60

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file

Creating a process from a recently created file

Sending an HTTP POST request

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file in the %temp% directory

Deleting a recently created file

Running batch commands

Launching a process

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7918e6ed1823254990f59d6015d43cae2f3cccad92e725aa9b2a0f294dc08b61/

Threat name:

ByteCode-MSIL.Trojan.Azorult

Status:

Malicious

First seen:

2020-11-06 21:44:00 UTC

AV detection:

33 of 48 (68.75%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pemon3iyemsutehvtvqblvb4vyxtztfnsltslku3fihsstoarnqq._file

Verdict:

suspicious

Similar samples:

09cb72a7bbb6ed837874193fcecdc231ed9d87752d1d1f668e7afcb2f10440de

1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897

3c90e174ff5097d991e0b99001a4e64e0c9e312df0ec03cee51380148974920e

95aee7e64808e12f340834e6b49c3541c1e5e0b3a1ff1fcd7eb2591a83b619fb

a8f02b8afe1ae18247c52d2e7272de680c81e7f215c5302d9c0961ff3ad52cb9

aa10af5c6a92dc01b8ba38871c9a1b111cc36a6e0f6d1a039b5ba624bb700a36

b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04

b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6

e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c

e8406edde4743eec38d88fd58f2c79b11d09d76bcd57b757cdf5844ea5bd55e7

+ 195 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:agenttesla family:redline discovery infostealer keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201117-j14llty5rs/

Behaviour

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Checks installed software on the system

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

RedLine

Unpacked files

SH256 hash:

7918e6ed1823254990f59d6015d43cae2f3cccad92e725aa9b2a0f294dc08b61

MD5 hash:

67d05b59a14493bbe952ed4b8b5f9f18

SHA1 hash:

e3fbb5cf858bba309f6610a7c118097d14bfcfa1

Link:

https://www.unpac.me/results/bf389d63-8d0e-4c65-8181-3ce8e28eba42/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample