MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ff2b7827d44f9b69c19b01baef4121501ba8026fa47ea3c84041361d286e16e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ff2b7827d44f9b69c19b01baef4121501ba8026fa47ea3c84041361d286e16e
SHA3-384 hash: b18342f0cad80b1530d44abaed922492204943bb3657d11e033087031f56c83a96c0d4d0b937341d866f5d44fecc54f1
SHA1 hash: 15aadce420d6834a08d2d3f13193783b3dbed8f8
MD5 hash: db6300870533a2bf99a0e9721d05605f
humanhash: solar-kitten-lamp-cold
File name:db6300870533a2bf99a0e9721d05605f
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:670'184 bytes
First seen:2021-06-24 23:58:11 UTC
Last seen:2021-06-25 00:38:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:C0agLmi5KF5s/07J9wztUbdUY66eMA2U6SfRZ+cEYW:C0agai45ss7JSzR61Ap6hcEYW
Threatray 29 similar samples on MalwareBazaar
TLSH 82E4F7DE4DF1AA2EEBC681F621D54C002FB4AD5D6D89F80BB76E19820F12614F9138D7
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
db6300870533a2bf99a0e9721d05605f
Verdict:
Suspicious activity
Analysis date:
2021-06-24 23:59:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3089e9bb-56cb-49fc-9eba-57bd4b67aeb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168182/
Detection(s):
SecuriteInfo.com.ArtemisDB6300870533.16341.27322.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14f61c80-d6b9-411c-b353-df5f647e9692
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/807833
Signature
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ff2b7827d44f9b69c19b01baef4121501ba8026fa47ea3c84041361d286e16e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 23:58:19 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0a86370c2e094aa16cf56acf57bcc15294e2a66a8c12c1c52794b1ce965cf31e
RedLineStealer
0b639fef11b10b1b8c0bcf71e0030ef94ed4f09f4797447eef43c8a1a5707668
RedLineStealer
42949a2f912c87695ebffdd714eae9ae470935a2323f75a937fa3521155b3701
RedLineStealer
4ccf916fe0d3173dc9e6da3de749b437ff651b13bc32bf0538c29fc30c594a8d
RedLineStealer
546b14e45dad5ac436d7c928dc8e325082eacf2bd329a6f21648f37a37fe507d
RedLineStealer
60cbcdb415e08196418d8b319e4bd3e186ee78639363c5c1c92b0f73637dd581
RedLineStealer
6a2d4f973fda446fac31f2b2a23f82669ff77d1bdb0b07c32e4a1f36a6feec54
RedLineStealer
7f3ca9e8e9f6aaab9b8151f262a20dff03d53a437e689cb1c9a937349051e947
RedLineStealer
8cdbdc48eeff6dbd8b3cf2bcbf91b4c58c5479e8c3779f36debdd3856f17b185
RedLineStealer
b2435f96048b1f8c2fc923c8a8a93cb34ad5079d81b656cacc1daf70775c2ba8
RedLineStealer
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210624-8p99ef1x52/
Behaviour
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
3999efb1a6df606d02272b26d7741d8fd2b82a3dc4e20c753b319b552e5ea2a0
MD5 hash:
2a143936350e1e5950f513f1543ef490
SHA1 hash:
f2ca1be2ed9c3c189b8ae1deb7aa5b720f3b943e
Link:
https://www.unpac.me/results/01285e28-2c27-43f2-a1da-cd6746a5f004/
SH256 hash:
0d769327495a1a71156c246306269a096ac52d08a0f9d67fd258de281a558d87
MD5 hash:
dbb1fae95fb36cd7c41a375a28a360ae
SHA1 hash:
c1cb8b12de2e78dea790282b3e0680c554bc8af4
Link:
https://www.unpac.me/results/01285e28-2c27-43f2-a1da-cd6746a5f004/
SH256 hash:
0590cf214fd668fc4e589363fd0e6341e125bae421e627c8618179a401fb3648
MD5 hash:
2cfc583c79e5cb694b73ed825d3b3015
SHA1 hash:
148833d551b45df3f542a0b2c8e12c87a29aec71
Link:
https://www.unpac.me/results/01285e28-2c27-43f2-a1da-cd6746a5f004/
SH256 hash:
7ff2b7827d44f9b69c19b01baef4121501ba8026fa47ea3c84041361d286e16e
MD5 hash:
db6300870533a2bf99a0e9721d05605f
SHA1 hash:
15aadce420d6834a08d2d3f13193783b3dbed8f8
Link:
https://www.unpac.me/results/01285e28-2c27-43f2-a1da-cd6746a5f004/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ff2b7827d44f9b69c19b01baef4121501ba8026fa47ea3c84041361d286e16e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0d07705fa0e0c4827cc287cfcdec20c4
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7ff2b7827d44f9b69c19b01baef4121501ba8026fa47ea3c84041361d286e16e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168182/

Comments