MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf
SHA3-384 hash: 1f51e256682a8e2c864258848f360c475f8a9489b31e6b93cd6668fe5d51039cda5507c70af6948b276bd1ce2c83c85d
SHA1 hash: c2861843b930684f3c15b779e1027ffffe96bcc7
MD5 hash: 8f6c7a779aad2fcebfde67b679378445
humanhash: april-finch-colorado-ink
File name:8f6c7a779aad2fcebfde67b679378445
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'024'960 bytes
First seen:2021-09-15 06:47:16 UTC
Last seen:2021-09-15 08:11:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:Qr+ZBqXFZAuJbEdSqXTqXVZAuJbEdZ/FluraLxTsEStIxvoLZa:QuQ3ISiG3IZbur8kt4
Threatray 200 similar samples on MalwareBazaar
TLSH T15D16BE0D0BD5D90AE27E427C5C7183AA4F709CF3C168BDEB22977D1C28B5D87A3152A6
Reporter JAMESWT_WT
Tags:exe FOXIT SOFTWARE INC. RedLineStealer signature not verify signed

Code Signing Certificate

Organisation:FOXIT SOFTWARE INC.
Issuer:DigiCert EV Code Signing CA (SHA2)
Algorithm:sha256WithRSAEncryption
Valid from:2020-09-07T00:00:00Z
Valid to:2022-05-19T12:00:00Z
Serial number: 072472f2386f4608a0790da2be8a48f7
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: fd7ef46ac5c97813cb7f6d16e006a1febaa9e11bd7f414dcba0fb047b1bef09f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8f6c7a779aad2fcebfde67b679378445
Verdict:
Malicious activity
Analysis date:
2021-09-15 06:50:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ca4261fe-cdf8-4b38-835a-e5d6ae6698bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187969/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.2580.28461.2913.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61751455db358dd15ed923ff/reports/644c2fd0-674b-47d4-be05-b3283e586850/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a9f3869-df76-4e4b-8b89-1997b2afd4a1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851113
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483544 Sample: qy2t7MIRoi Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 45 sanctam.net 2->45 47 bitbucket.org 2->47 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 5 other signatures 2->65 10 qy2t7MIRoi.exe 2 2->10         started        13 runtimeservice.exe 2->13         started        signatures3 process4 signatures5 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->69 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->71 73 Injects a PE file into a foreign processes 10->73 15 qy2t7MIRoi.exe 15 34 10->15         started        20 WerFault.exe 23 9 10->20         started        process6 dnsIp7 49 popmonster.ru 81.177.141.36, 443, 49814 RTCOMM-ASRU Russian Federation 15->49 51 92.222.145.236, 49737, 60837 OVHFR France 15->51 53 api.ip.sb 15->53 37 C:\Users\user\AppData\Local\...\598714267.exe, PE32+ 15->37 dropped 39 C:\Users\user\AppData\...\qy2t7MIRoi.exe.log, ASCII 15->39 dropped 55 Tries to harvest and steal browser information (history, passwords, etc) 15->55 57 Tries to steal Crypto Currency Wallets 15->57 22 598714267.exe 4 15->22         started        26 conhost.exe 15->26         started        41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->41 dropped file8 signatures9 process10 file11 43 C:\Users\user\AppData\...\runtimeservice.exe, PE32+ 22->43 dropped 67 Machine Learning detection for dropped file 22->67 28 cmd.exe 1 22->28         started        31 runtimeservice.exe 22->31         started        signatures12 process13 signatures14 75 Uses schtasks.exe or at.exe to add and modify task schedules 28->75 33 conhost.exe 28->33         started        35 schtasks.exe 1 28->35         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 02:12:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2933bf42825a628f1839700c3eb682361460b09bb8aaf14b0ab71cd91e9488df
RedLineStealer
455c9a38ec39915d187e3d1093eb3456798f01ffd9f925b2e15e10beced936f0
RedLineStealer
6f14afbba1fb3f07259d7153604a7877f9a0be968b600e2f82b6b491d4e994a6
RedLineStealer
beaee39acaccc69b03494cb84ceae313d05b22f4e568383848d37256f64daac9
RedLineStealer
c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6
RedLineStealer
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
RedLineStealer
d35c898a91296ef8c7a80ea57e597d9d30b9a793bd32868e0311573dea2415c6
RedLineStealer
ddaa218a629d5d9c1cbc4158b6fba8f0e02c6bfa58afb79cb87947aef81e062d
RedLineStealer
e3ae2c777da0872f2f73349e3b59b25ebda48bbec928a7360917d2929d000653
RedLineStealer
+ 190 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:orix1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210915-hkr7vaaab3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
92.222.145.236:60837
Unpacked files
SH256 hash:
979f2ee271a9f10b3cf5813a69e543264ceeb08333ace72f2aad019ab7c8584f
MD5 hash:
f02d4dd2c8c238469389504273e54c8c
SHA1 hash:
b6fbc78f42b13e99f26acf452e2dff6e1e23b046
Link:
https://www.unpac.me/results/eaa50d2f-5dbe-4131-80a6-fc8482bed28f/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/eaa50d2f-5dbe-4131-80a6-fc8482bed28f/
SH256 hash:
df4dcf3f808edc631117b8856d2ad1794fdbb930f00b76a5946a7541eba802cc
MD5 hash:
b027fe438bf8dcb0f3b513bdcbea6476
SHA1 hash:
0d3312c339248f5d0bc58bba6c2b21703841faac
Link:
https://www.unpac.me/results/eaa50d2f-5dbe-4131-80a6-fc8482bed28f/
SH256 hash:
7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf
MD5 hash:
8f6c7a779aad2fcebfde67b679378445
SHA1 hash:
c2861843b930684f3c15b779e1027ffffe96bcc7
Link:
https://www.unpac.me/results/eaa50d2f-5dbe-4131-80a6-fc8482bed28f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7feb71e0bcd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187969/

Comments