MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d316934fbbc328ee5764cc3ffad8342ebb530df25f43e3f46e0e27fcc8f7067f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d316934fbbc328ee5764cc3ffad8342ebb530df25f43e3f46e0e27fcc8f7067f
SHA3-384 hash: f6add2e14dbadfb13624ac2fdbd1d0d791cc4212bc8afefad1357798699a8aabd7017881434488f549745a1f499892d1
SHA1 hash: 394351007b7fa83b84a30c66b84083ba9af66410
MD5 hash: 33ffe47617ab65e5fbb0b2eedf0b5b4e
humanhash: oregon-wisconsin-burger-yellow
File name:#PO_Teklif Talebi - 1523 Dmreklam ltd sti 0%01% pd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:855'104 bytes
First seen:2023-10-03 07:12:28 UTC
Last seen:2023-10-04 07:21:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 24576:mk70TrcKMs8ftsubdunEtMif2Fo0VANdUKsm1:mkQTAZsubdunDif2F9Agw
TLSH T18F0512257491C0B2D8BB513144EACA395F7978714BA0C5EBB39C677A6F203E1A3392CD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter TeamDreier
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
4
# of downloads :
285
Origin country :
DK DK
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin net_reactor overlay packed packed
Link:
https://www.filescan.io/uploads/651bbefe64965c51f772ae36/reports/3b98ff54-ecb3-49fa-917c-9d5829b19930/overview
Verdict:
Malicious
Labled as:
Ser.MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/d316934fbbc328ee5764cc3ffad8342ebb530df25f43e3f46e0e27fcc8f7067f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e52bed9-3b78-49b5-80c6-1243f2bccafc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1318500
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d316934fbbc328ee5764cc3ffad8342ebb530df25f43e3f46e0e27fcc8f7067f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 04:31:13 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 35 (65.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2mljgt53ymuo4v3ezq77vwbuf25vgdpsl5b6h5dobyt7zshxaz7q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231003-h13nhsgh71/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
.NET Reactor proctector
Unpacked files
SH256 hash:
463aa045f854ffecb3946a07f05997a71824403dc0c12a04b751c651cb917e5b
MD5 hash:
322f33b7c58a749e10d8702e7bc43282
SHA1 hash:
8b5a29c485af013acd1e003f27726604d52a9612
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0a84c967-5fd1-4367-8f2b-f6a2e185ff7c/
Parent samples :
ed39cdb38f54700c6cf37768cabd78367a0de953ab1e64b1fd8e9b640e91d8f3
fd50d6b7509b787326363d683eea439e2aa01086b726a95d3fe9987366275bfb
d316934fbbc328ee5764cc3ffad8342ebb530df25f43e3f46e0e27fcc8f7067f
SH256 hash:
de19d627c65f6f60e5755efcfd01cffbde50cab18a5d505918fa052a7fee8146
MD5 hash:
b2d0760df70662498c8c34ab35275dd2
SHA1 hash:
9caf23e793795e5b52d0e1bb071bbfce205f3a03
Link:
https://www.unpac.me/results/0a84c967-5fd1-4367-8f2b-f6a2e185ff7c/
SH256 hash:
f5946a4ee1c77d059ca95a55190dfad65a0c1e9af6c2af90dfb27df925cae166
MD5 hash:
2c6aa13baf3ab581baecde8d34e0a6bd
SHA1 hash:
86e175f19a02a23c67730df1aaacf8375746e742
Link:
https://www.unpac.me/results/0a84c967-5fd1-4367-8f2b-f6a2e185ff7c/
SH256 hash:
d90a39b51cad0e28994aea80fed31b9d938f3cccf19caff2808694211b3ba8e1
MD5 hash:
0baf09ed7d8d6fc269ed48bb4e743fb7
SHA1 hash:
2a6dbeae069f6327d0bbf12908e214c6272f8996
Link:
https://www.unpac.me/results/0a84c967-5fd1-4367-8f2b-f6a2e185ff7c/
SH256 hash:
d316934fbbc328ee5764cc3ffad8342ebb530df25f43e3f46e0e27fcc8f7067f
MD5 hash:
33ffe47617ab65e5fbb0b2eedf0b5b4e
SHA1 hash:
394351007b7fa83b84a30c66b84083ba9af66410
Link:
https://www.unpac.me/results/0a84c967-5fd1-4367-8f2b-f6a2e185ff7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.04
Link:
https://yomi.yoroi.company/submissions/d316934fbbc328ee5764cc3ffad8342ebb530df25f43e3f46e0e27fcc8f7067f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe d316934fbbc328ee5764cc3ffad8342ebb530df25f43e3f46e0e27fcc8f7067f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments