MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dce107f03eaeb9834f9c1a822dd42ef01a058500dfc275fc595f2a3f83e4198. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dce107f03eaeb9834f9c1a822dd42ef01a058500dfc275fc595f2a3f83e4198
SHA3-384 hash: 89d09a8d32cf33eee3b4cc10588e4adf7f7d52077ae7a2c09b85a043b7208aae4da1f272da46cba74dd64887ec6a7593
SHA1 hash: ea41591265bf92372c1eda6afd785582f3b46ae8
MD5 hash: 18b02788ac70b266a2bc26da3d49743c
humanhash: fish-winner-cardinal-california
File name:Swift Copy.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'463'808 bytes
First seen:2021-06-01 06:30:01 UTC
Last seen:2021-06-01 08:09:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Ya9W8sAsAIhqKFs+63p6rjUctHPoKtFq6NztPskw02zXXxtkOBYL9HUjs6esfV1P:Y
Threatray 263 similar samples on MalwareBazaar
TLSH 9A652B157AE7409F733449EA42A4FDED884F3AAA183C31C57250A71B47A0949C7E2F7E
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift Copy.exe
Verdict:
No threats detected
Analysis date:
2021-06-01 06:32:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f07e1f9-170c-4af3-bc29-ff1d8b70749b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163643/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37010971.8066.11290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/795195
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dce107f03eaeb9834f9c1a822dd42ef01a058500dfc275fc595f2a3f83e4198/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 02:19:01 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxhba7yd5lvzqnhzygucfxkc54a2awcqbx6cox6fsxzkh6b6igma._file
Verdict:
unknown
Similar samples:
09969e8d7af6e0c3ef34c344fe378dd23b6f93abcda793c052e36d1777c35ce7
RedLineStealer
4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9
RedLineStealer
47023d3193e8bc696cb4cbeb74ab476f5c67aa06c30729186da615073c0d0222
RedLineStealer
7fd7f40eb596ec6e50350e8b76a874dcd137229bf6cd86f8822fda8b0e7a37cc
RedLineStealer
8e24deef02dafdd33ba55a11048a56ced1b05b26b7ff44330954c905976c4ddf
RedLineStealer
8f8198fc76f32f907c255e1715f44deaabd4677f4cc708ecfd6afb1a50d9bcfc
RedLineStealer
ac17f0b501e5e53e536161b5c4e3f5dec441eabee62c4c66b09fda85cfea0b13
RedLineStealer
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
RedLineStealer
cc17491bc178e0e70f05ea771879c0a3f800fc44ce53c9eb201613583d85b569
RedLineStealer
fccbf385c83dc8e754969e064852fab5fcaab99c564f6679a22a944ef76e20b0
RedLineStealer
+ 253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210601-vrsh33f8ra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/7dce107f03eaeb9834f9c1a822dd42ef01a058500dfc275fc595f2a3f83e4198

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 7dce107f03eaeb9834f9c1a822dd42ef01a058500dfc275fc595f2a3f83e4198

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/163643/

Comments