MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0
SHA3-384 hash: be746c76ac85b95c2f5ca9528def8ca7c373a28e4b34198bc14130edd06e2a5cd1d4c14898401f8066d5f799ba501611
SHA1 hash: 8ab85548d9864f8a1931cd55ea991374954d8e96
MD5 hash: e78fb375bbaa0be99fdfaed02ea8fb1a
humanhash: maine-nebraska-mobile-oscar
File name:Bank_Details.xz
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:844'897 bytes
First seen:2024-08-03 06:23:31 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:50rotVqW1w5DP6rEs9W+X5HHHOc0rVIsVeLLG:6Urq8w5Tjs95FwIOee
TLSH T18D05333EEF0CFE270F4B6C62C609D5ED9E75826A8FA41C849119DF0284E855B4DB6C17
Reporter cocaman
Tags:payment RedLineStealer xz zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Margarida Sousa <export@gurmat-tr.com>" (likely spoofed)
Received: "from [194.169.175.191] (unknown [194.169.175.191]) "
Date: "29 Jul 2024 09:14:44 -0700"
Subject: "PAYMENT RETURNED"
Attachment: "Bank_Details.xz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Bank_Details.exe
File size:1'461'760 bytes
SHA256 hash: d6e12ca72ee501a41c85d8aeee6ee15bd6f203622a3fd875996bebb4115fb404
MD5 hash: 5ebf4fc104570b9074cf54840814513a
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a7f9b1c06bd32e596e63f2
Tags:
Generic Infostealer Network Stealth Trojan Shellcodecrypter
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc shell32
Link:
https://www.filescan.io/uploads/66adcd0278d5c73fb1cb99d1/reports/f639c296-0e23-422c-9858-c7a6a917ddbe/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 12:56:33 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sljlb4gp3atlaqwvxlqda3ntwrepkaagpejd4yipqxkmstemb7ya._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240803-hrhlzs1bjf/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Loads dropped DLL
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

zip 92d2b0f0cfd826b042d5bae0306db3b448f5000679123e610f85d4c94c8c0ff0

(this sample)

RedLineStealer

Executable exe d6e12ca72ee501a41c85d8aeee6ee15bd6f203622a3fd875996bebb4115fb404

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d6e12ca72ee501a41c85d8aeee6ee15bd6f203622a3fd875996bebb4115fb404
  
Dropping
RedLineStealer

Comments