MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a2f14ffdb0f38c7b3175e0d7c617cf6130c45e64fc1b958813971dc0bda191d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a2f14ffdb0f38c7b3175e0d7c617cf6130c45e64fc1b958813971dc0bda191d
SHA3-384 hash: 6d5418a305355fd7263c4f03facd0285a14be455f3d1c8eb0b5a8895bde4b43e11e9794be8d0e1fd37fa9345d2f52303
SHA1 hash: 21d1ee408b3f57e4f33219a20a102de0396def3f
MD5 hash: 726220e3addfee76a8405040cc049743
humanhash: muppet-hydrogen-stairway-saturn
File name:Reptile_World_Launcher.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'013'504 bytes
First seen:2022-11-14 16:58:52 UTC
Last seen:2022-11-14 18:51:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e0aad28680b6f5289545d9a4e5d80e7 (1 x RedLineStealer)
ssdeep 98304:ef69wmch9dEzWK3iABXayv/3CuAUroFFeYQ5/1eCZh3XDVvA:I69wB9dEziK9v/31JqmVh3XZI
Threatray 181 similar samples on MalwareBazaar
TLSH T13E362363626A0045E7E5C93DC627BED871F342F687C2CCB8E9B978C965114E4E213E63
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71e4f2e0f6e4e870 (2 x RedLineStealer, 1 x DCRat)
Reporter iamdeadlyz
Tags:exe RedLineStealer ReptileWorld


Avatar
Iamdeadlyz
From reptile-world.net (impersonation of rchronicles.org)
RedLineStealer C&C: 77.73.134.13:3660

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Reptile_World_Launcher.exe
Verdict:
Malicious activity
Analysis date:
2022-11-14 17:01:55 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e9396eb3-c707-45df-87be-fb3b6abe697a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333851/
Detection(s):
SecuriteInfo.com.Trojan.Heur.TP.@J0@bOpU5Gh.21904.25998.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52388/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/637273d842e3c45b840c06e6/reports/790e9649-0e9f-4981-936f-e5c7908beab3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5060ef53-7998-454f-9302-ce6d8ab45cb0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1113083
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a2f14ffdb0f38c7b3175e0d7c617cf6130c45e64fc1b958813971dc0bda191d/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 16:59:17 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pixrj763b44mpmyxlygxyyl46yjqyrpgj7a3swebhfy5yc62deoq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
RedLineStealer
58ae170573fd183ada1906291ca170724608a6a6217d84a6e5f0e400c3b1f481
RedLineStealer
8facf32116a5f68467c71032d3a207abaa20fbcc56fcab6a3db650b4d30ad115
RedLineStealer
90c3df045da659194fcf00893e7cd940de6dff4f17830444501e06d1488f06ec
RedLineStealer
d0468132645d923f7f4a1c5bea930fa47a149dfb0d2b28a167c62cf4a04911ba
RedLineStealer
d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c
RedLineStealer
e457b29f4284228a96888af4fcd0478084802e48afca814cb203c279d796af33
RedLineStealer
+ 171 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/221114-vhd9esha2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
RedLine
RedLine payload
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/308f1ce1-1412-41c7-b786-54d3dcf86a60
Unpacked files
SH256 hash:
da416a03fec76d3d78c2cabafaf0f332829184a5a85977c9ebc76e4607b1d123
MD5 hash:
cebf3299036b96284db5897bde1cf98e
SHA1 hash:
a14ba680163e03649d8ecb0b427956d822dee5a9
Link:
https://www.unpac.me/results/d6984433-9f35-4714-acbb-b478f68da0f1/
SH256 hash:
4778ef15bcd58dea403c4fc743aea310887a9cf7740f3fa93a9d2bbc02933d00
MD5 hash:
3962314f0b9e62d481a5a2119818d795
SHA1 hash:
d34617ec20572e0c619b8009b1e245be4591ab2a
Link:
https://www.unpac.me/results/d6984433-9f35-4714-acbb-b478f68da0f1/
SH256 hash:
7a2f14ffdb0f38c7b3175e0d7c617cf6130c45e64fc1b958813971dc0bda191d
MD5 hash:
726220e3addfee76a8405040cc049743
SHA1 hash:
21d1ee408b3f57e4f33219a20a102de0396def3f
Link:
https://www.unpac.me/results/d6984433-9f35-4714-acbb-b478f68da0f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a2f14ffdb0f38c7b3175e0d7c617cf6130c45e64fc1b958813971dc0bda191d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

zip dcddfa4a3c9f52a3d9a4d797112d8cbce8e939d611833f0140338fcbd440a83c

RedLineStealer

Executable exe 7a2f14ffdb0f38c7b3175e0d7c617cf6130c45e64fc1b958813971dc0bda191d

(this sample)

  
Dropped by
SHA256 dcddfa4a3c9f52a3d9a4d797112d8cbce8e939d611833f0140338fcbd440a83c
  
Dropped by
SHA256 ce6b6abb5fde07f7a967e42e0302f49a9cb9e41f51e8d74a872c577e526036cf
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/333851/
  
URLhaus
https://urlhaus.abuse.ch/url/2411534/
  
Dropped by
MD5 2cde445a9aec4dbd1ccf251e7fec4f4b
  
Dropped by
MD5 f968d4ccaecaafadf5ed4a69af7a5f07

Comments