MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eb0365d91d0933ba2ca948507764aec29f9c7596fb31826d5721a6b8cb0ebcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7eb0365d91d0933ba2ca948507764aec29f9c7596fb31826d5721a6b8cb0ebcb
SHA3-384 hash: 9b7f5ce9d6f568fc9cd91da5b69e54244421edfba208d41ad7cd8d78974bf9d2727f32b25708dbc659634998850aa922
SHA1 hash: 625805134e3b1c6d542bd6c4636d9a0783732f68
MD5 hash: 0160978a7835d130f3ce966df506ddf2
humanhash: four-pennsylvania-paris-skylark
File name:0160978a7835d130f3ce966df506ddf2
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:879'328 bytes
First seen:2021-06-24 01:42:39 UTC
Last seen:2021-06-24 03:19:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:X/SzFt6unRFfUMbz1OuI+w0NDuJ+QOl651CPbgWy/pQEZ:XKNRFfUMXgUrND6+6rCPUh/qEZ
Threatray 387 similar samples on MalwareBazaar
TLSH 9315DA137C4CE311E9E05E3750EE6D3C23E559CA8633560BAF06FDAA24B26469CB136D
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0160978a7835d130f3ce966df506ddf2
Verdict:
Malicious activity
Analysis date:
2021-06-24 01:45:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c07006d3-6711-4643-96ec-13c0a65334db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37129442.31294.9458.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10d6b0cc-58aa-4deb-9adb-2090f72b4c5e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.mine
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/807051
Signature
.NET source code contains very large array initializations
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7eb0365d91d0933ba2ca948507764aec29f9c7596fb31826d5721a6b8cb0ebcb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 19:17:30 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
16bf40060a0544cf49bda85272b976265fb56248c6068d7d95296937af664ecc
RedLineStealer
179f9905156fda8b2133753c8f587fb62b3f945e6b1f5f36d151da54b558c0aa
RedLineStealer
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
RedLineStealer
24a722ce99ba486cf511c6534f66b8e8c9e7f90836dbcbd46e608dc085657a1c
RedLineStealer
376dbe67670b9c9934c6cebd15b2992b8eb9b072079cdc9e3ff33030932d57c1
RedLineStealer
5b91bb848d517bcd9a1e86f73bfec348326de4d5fbb0a80b6d0256f3a589e6c3
RedLineStealer
644e3f15cd7a653087fb7496f311e81ab32f6389d418928d0ad182191bb48104
RedLineStealer
aa9caf25dad5791972aa93eebcbc28ef4085bcd8cad33a9beb7b7a5cdad30452
RedLineStealer
af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
RedLineStealer
d88b00afe502517f9415ac41667410acfc0bdbd7d74389de73256aafd8f7d5eb
RedLineStealer
+ 377 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210624-qbyl4a839j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5fad5ec3dcf83345ce061d3a1a4c2ea9b9faf88a9dfcc99f33c02885a9668071
MD5 hash:
dfad4f9065008505fea449cbf90e2e6c
SHA1 hash:
ecef1fd7812665b1efc676d83c46777a7e81b78c
Link:
https://www.unpac.me/results/9eab788c-048e-4259-99b8-f7fc7e642606/
SH256 hash:
c880c73c4bfb5897f02b4ec2e7c4dd5b183fdeafb0019cc0803977770e42168d
MD5 hash:
6b2714bd33fe83ca9f53e26bafc5b32b
SHA1 hash:
36c4169c6e7053ccc493d8b46a70d4642ce07481
Link:
https://www.unpac.me/results/9eab788c-048e-4259-99b8-f7fc7e642606/
SH256 hash:
7eb0365d91d0933ba2ca948507764aec29f9c7596fb31826d5721a6b8cb0ebcb
MD5 hash:
0160978a7835d130f3ce966df506ddf2
SHA1 hash:
625805134e3b1c6d542bd6c4636d9a0783732f68
Link:
https://www.unpac.me/results/9eab788c-048e-4259-99b8-f7fc7e642606/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7eb0365d91d0933ba2ca948507764aec29f9c7596fb31826d5721a6b8cb0ebcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Unknown_Malware_Sample_Jul17_2
Create hunting rule
Author:Florian Roth
Description:Detects unknown malware sample with pastebin RAW URL
Reference:https://goo.gl/iqH8CK

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7eb0365d91d0933ba2ca948507764aec29f9c7596fb31826d5721a6b8cb0ebcb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393220/

Comments