MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fcddff84357c6f8f764463372426184eb6d6ab6a67bb44ab9e833193239e12b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fcddff84357c6f8f764463372426184eb6d6ab6a67bb44ab9e833193239e12b
SHA3-384 hash: 759f3373f5b796d543a18b4034a4f74f649d421fa8082ac290c0e4bbcefde87f1b5bf086bf52abb2f2f4481346ecbf4a
SHA1 hash: 9b9e550b025849e36d41742b93283aa6496ce7fd
MD5 hash: e0cd08708f99f0353ef55148c68c422e
humanhash: freddie-diet-lima-robert
File name:Shipping Documents inv. 523435300XX.rar
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:651'010 bytes
First seen:2024-05-29 08:18:37 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:dl+9h0Pd2dlUIUUk6R3JULi4hhpYAm3nXZhvLwbGukwVVuVJrdD4Oo:dl+70PAdlFUUk6RO+4hjYAm3X3E6uBc2
TLSH T113D42334429E3A814FE9AF7A4D3FD19D821C4E8552DFED29563CE780B5365D38CE2488
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:rar RedLineStealer Shipping


Avatar
cocaman
Malicious email (T1566.001)
From: ""export" <line@srhdworld.com>" (likely spoofed)
Received: "from peppy.srhdworld.com (peppy.srhdworld.com [194.169.172.195]) "
Date: "27 May 2024 10:08:25 -0700"
Subject: "Fwd: Shipping Documents inv. 5234353"
Attachment: "Shipping Documents inv. 523435300XX.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Shipping Documents inv. 523435300XX.exe
File size:1'137'664 bytes
SHA256 hash: b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae
MD5 hash: efae427357884a8d496facd0298f6af8
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit coinminer fingerprint keylogger lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/6656e4f79ef257851a9ab2cc/reports/b0ed2d90-e858-4f0d-baf7-ee1053c69116/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8fcddff84357c6f8f764463372426184eb6d6ab6a67bb44ab9e833193239e12b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fcddff84357c6f8f764463372426184eb6d6ab6a67bb44ab9e833193239e12b/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-05-27 15:01:44 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7g576cdk7dpr53eiyzxeqtbqtvw22vwuz53isvz5azrsmrz4evq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240529-j8z32agd41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fcddff84357c6f8f764463372426184eb6d6ab6a67bb44ab9e833193239e12b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

rar 8fcddff84357c6f8f764463372426184eb6d6ab6a67bb44ab9e833193239e12b

(this sample)

RedLineStealer

Executable exe b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae
  
Dropping
RedLineStealer

Comments