MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b
SHA3-384 hash: 694afcff8839bd190bbe7c0f4f09db18403b3fdadee48422183e889f09bf954cba507afa6d9579e8b6b1752cf26ad69d
SHA1 hash: 2335736ebb5b727dd221adaaf4a6e319d54650c1
MD5 hash: a18b2b6648a6e116fb85974ed5b174eb
humanhash: artist-florida-happy-fillet
File name:a18b2b6648a6e116fb85974ed5b174eb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:545'280 bytes
First seen:2022-08-26 05:59:03 UTC
Last seen:2022-08-26 06:35:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bfab4dfd6d8a257133e2d17c18547b2 (3 x DanaBot, 2 x Nymaim, 2 x Smoke Loader)
ssdeep 12288:J7EaM88A/SFXR2i8u+kkXdXoDzXQfYw4wunnq:lP/KpR2pL5XtoDDQf4bq
Threatray 2'329 similar samples on MalwareBazaar
TLSH T1CDC402B4F29DC5F1F067153094269EA219AFB8525464064B23A82E1E2F61FCF05F6F2F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a88d96968e964c2d (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a18b2b6648a6e116fb85974ed5b174eb.exe
Verdict:
Malicious activity
Analysis date:
2022-08-26 06:04:50 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/01375fd3-aa52-455b-abe6-66ade3de170e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/301293/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.91252.28133.4897.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Creating a window
Sending an HTTP POST request
Searching for the window
Reading critical registry keys
Running batch commands
Launching a process
Launching the process to change network settings
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/630861db3cbb13868a833890/reports/2ac14e0a-d1f7-42da-bb8c-0a7d107c0425/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tandem Espionage
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96a9428b-3ec3-403a-88c6-87158ce17352
Result
Threat name:
Eternity Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058158
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses TOR for connection hidding
Yara detected Eternity Stealer
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 690675 Sample: eDmT5fWQAr.exe Startdate: 26/08/2022 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 10 other signatures 2->66 8 eDmT5fWQAr.exe 4 2->8         started        process3 file4 44 C:\Users\user\AppData\Local\...\Stealer.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\Local\...\Clipper.exe, PE32 8->46 dropped 48 C:\Users\user\AppData\...\eDmT5fWQAr.exe.log, ASCII 8->48 dropped 74 Detected unpacking (changes PE section rights) 8->74 76 Detected unpacking (overwrites its own PE header) 8->76 12 Stealer.exe 15 5 8->12         started        16 Clipper.exe 16 2 8->16         started        signatures5 process6 dnsIp7 52 31.172.70.33, 49749, 8118 VOLIA-ASUA Netherlands 12->52 54 ip-api.com 208.95.112.1, 49729, 49730, 80 TUT-ASUS United States 12->54 58 2 other IPs or domains 12->58 78 Antivirus detection for dropped file 12->78 80 Multi AV Scanner detection for dropped file 12->80 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->82 88 5 other signatures 12->88 18 cmd.exe 1 12->18         started        21 cmd.exe 1 12->21         started        23 cmd.exe 1 12->23         started        56 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet 198.251.83.154, 49731, 80 PONYNETUS United States 16->56 84 May check the online IP address of the machine 16->84 86 Machine Learning detection for dropped file 16->86 signatures8 process9 signatures10 68 Uses ping.exe to check the status of other devices and networks 18->68 70 Uses netsh to modify the Windows network and firewall settings 18->70 72 Tries to harvest and steal WLAN passwords 18->72 25 netsh.exe 3 18->25         started        27 conhost.exe 18->27         started        40 2 other processes 18->40 29 netsh.exe 3 21->29         started        31 conhost.exe 21->31         started        42 2 other processes 21->42 33 PING.EXE 1 23->33         started        36 conhost.exe 23->36         started        38 chcp.com 1 23->38         started        process11 dnsIp12 50 127.0.0.1 unknown unknown 33->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 09:51:10 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5u7f7rc36vepv75w7otu6fw72xdr2sjbxblqg35argnmsbwiknq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1ac5871f2a0cb7448f6f7d6cbf6602954589bf34940e899ba284730bb9623b2e
RedLineStealer
1d128ffc3927d02e3393da5e27d2557766f82df921b09d42603b08d5724e9e9a
RedLineStealer
1e40b7a3aca5fa0302e9f6c2e4b10f738f8ad2e357cb0987f175c456f67e8e67
RedLineStealer
5e378aae9cda5f348d778ad6135eba6b04fb4c625f20900abcde1e75289f86c4
RedLineStealer
9542930037fd5f2261b592841e3522f75328e15e153144d732727fedd0a8d8c8
RedLineStealer
9d313aa0090d3425564379e7674795b68f050ec6473b1ced106fff220a8749d4
RedLineStealer
beedb7cc465933bc983dab4c41f8464d985ec15680f60dec4f27e0a96e88939d
RedLineStealer
dd0ebb1754536db3622a591fa76c6a8d66ebfdb5fa5327ef2737601dedfa2818
RedLineStealer
+ 2'319 additional samples on MalwareBazaar
Result
Malware family:
eternity
Create hunting rule
Score:
  10/10
Tags:
family:eternity clipper collection spyware stealer
Link:
https://tria.ge/reports/220826-gqbavagcdr/
Behaviour
Checks processor information in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Detects Eternity clipper
Eternity
Malware Config
C2 Extraction:
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Unpacked files
SH256 hash:
bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890
MD5 hash:
8ca91deb0b495906ddcb1baf997dedf7
SHA1 hash:
cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4
Link:
https://www.unpac.me/results/c16e19d5-63b3-4005-a94d-3b50ebc00b2f/
SH256 hash:
80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e
MD5 hash:
d1cdefb0ed7a84fdb2aba99ec065d2e2
SHA1 hash:
9cad12bc5214a118e72424b6d7799d362383f8f5
Link:
https://www.unpac.me/results/c16e19d5-63b3-4005-a94d-3b50ebc00b2f/
SH256 hash:
0f6f4af40bdcedf27d8da02dbcd670417c62681519fe1acc78ba1c312d910f8b
MD5 hash:
8307604bb90409526c1ec3c480fbc153
SHA1 hash:
6d39498d76f1355b39e8724024e0a35ea40506e9
Link:
https://www.unpac.me/results/c16e19d5-63b3-4005-a94d-3b50ebc00b2f/
SH256 hash:
9de05ecd33edd5ec6147d2b9d25331f595ae94d9fd182f338474dda95d02ef37
MD5 hash:
c4f6499197a630d599c23f7e640394c6
SHA1 hash:
0a79013551d83abffb44cbcdf83edc4fc58eb142
Link:
https://www.unpac.me/results/c16e19d5-63b3-4005-a94d-3b50ebc00b2f/
SH256 hash:
1f8cb9f12fb9e4c50655cdbe5259d53b3c699936f65107a5ccc18cdf44a3d0c5
MD5 hash:
d74bb97589850a315dc05518a1c7a6b2
SHA1 hash:
044e991447a0fb8b6ef3c5f86da5d8c78297bd6c
Link:
https://www.unpac.me/results/c16e19d5-63b3-4005-a94d-3b50ebc00b2f/
SH256 hash:
af315756fd260c8fc79db3096ffd839a7f481507bb0d4a8a60644107e40384d9
MD5 hash:
26bb3f320764badd97701e1a5ec07b11
SHA1 hash:
64b0788f73def09113a0d370d8a4371c2b3a27ee
Link:
https://www.unpac.me/results/c16e19d5-63b3-4005-a94d-3b50ebc00b2f/
SH256 hash:
7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b
MD5 hash:
a18b2b6648a6e116fb85974ed5b174eb
SHA1 hash:
2335736ebb5b727dd221adaaf4a6e319d54650c1
Link:
https://www.unpac.me/results/c16e19d5-63b3-4005-a94d-3b50ebc00b2f/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f69f2fe22df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301293/

Comments