MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f03e5acd3ea1df09896ec7f366dac623153f2085be36d7b50251411c03e87b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	7f03e5acd3ea1df09896ec7f366dac623153f2085be36d7b50251411c03e87b5
SHA3-384 hash:	9773ac8a9f34511b98c5c1e5d5d2feb3725b993e59f115af87def5f88d51c11a4c833a37d84b2fac66baba5745822bb2
SHA1 hash:	0322f73ee5b64e2042deaf4967fb005693af9af0
MD5 hash:	57f024acdfa3cfa3b32f72b47a2e8018
humanhash:	triple-arizona-early-romeo
File name:	SecuriteInfo.com.Win32.TrojanX-gen.1766.30280
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	400'768 bytes
First seen:	2023-12-19 21:15:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12062d8b6887d7a0da34142af6a26a3d (4 x RedLineStealer)
ssdeep	6144:vTvQnjczDLtGwM0lKZYgT3LoGAONM5nSwxQ8CAj5u54SetCzo338UN7Dbcy:v8njcfLtn4L9/MVS2rCow4SetCzyZMy
Threatray	139 similar samples on MalwareBazaar
TLSH	T16C84AF107D828D73D6E6B53C06AEE7769E39B4A31B1DCBEB1FD1CAA98D301C09271914
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

366

Origin country :

FR

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468562/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.1766.30280.UNOFFICIAL

Alert

Create hunting rule

YARA.telnet_cgi.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Creating a window

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

control lolbin overlay packed rat

Link:

https://www.filescan.io/uploads/65820817b4e856b728201f90/reports/4e364333-fe23-4f5a-a814-5e1722029caf/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/7f03e5acd3ea1df09896ec7f366dac623153f2085be36d7b50251411c03e87b5

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer RedLine Stealer

Malware family:

RedLine Stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/068856bf-482b-4fdc-bd2b-8bec1cc2f60f

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364790

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/7f03e5acd3ea1df09896ec7f366dac623153f2085be36d7b50251411c03e87b5

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f03e5acd3ea1df09896ec7f366dac623153f2085be36d7b50251411c03e87b5/

ReversingLabs TitaniumCloud Win32.Trojan.Generic

Threat name:

Win32.Trojan.Generic

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-19 21:16:07 UTC

File Type:

PE (Exe)

AV detection:

12 of 37 (32.43%)

Threat level:

  2/5

Spamhaus Hash Blocklist

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p4b6llgt5io7bgew5r7tm3nmmiyvh4qilprw262qeukbdqb6q62q._file

Threatray malicious

Verdict:

malicious

Similar samples:

01b29eff3523ae2d4e8598e07d377e711e82a6ffb014ca3f070ff3dc0982e20a

RedLineStealer

4324d30a2941dae5e598e92fb88724aca1df89a6d65f383afda113714673e53f

RedLineStealer

94abe0de06a856e4e5088eb13028648466bbcfe2ba9edd40cda8912fe7d86e83

RedLineStealer

9604fa9dbbfbd3091bd16a36137c87dfc7b407b1664a2616710701837a8b8021

RedLineStealer

c9491f5eb282daf6b536f515cc9e1032af62919e727442c4e7ecbca2e9d8f8b0

RedLineStealer

d2a91bcf09bf0e0cf35213e66652457a40aff63d856ad49370612637a8847420

RedLineStealer

da928ea0a7b11461c0e4e77880b48723a1138e68c7948a153c17f5e9da624209

RedLineStealer

+ 129 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://tria.ge/reports/231219-z4frladddj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

UnpacMe redline

Unpacked files

SH256 hash:

747c38afa5561004df2632166411f55fa5f5389b5baf6e1b97c0f2e096fd2e4c

MD5 hash:

b3850ee3d78368b5e821213691ecd518

SHA1 hash:

14822fe17a5b16290c1e19d0c68c6fe487a65906

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/e31f26e5-7a89-4920-b460-74f7f676512c/

SH256 hash:

7f03e5acd3ea1df09896ec7f366dac623153f2085be36d7b50251411c03e87b5

MD5 hash:

57f024acdfa3cfa3b32f72b47a2e8018

SHA1 hash:

0322f73ee5b64e2042deaf4967fb005693af9af0

Link:

https://www.unpac.me/results/e31f26e5-7a89-4920-b460-74f7f676512c/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7f03e5acd3ea/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f03e5acd3ea1df09896ec7f366dac623153f2085be36d7b50251411c03e87b5

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/468562/