MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d724eef097700915a348d42dcfa0255e3edb3c644cf8740fd052cddab2c81b54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	d724eef097700915a348d42dcfa0255e3edb3c644cf8740fd052cddab2c81b54
SHA3-384 hash:	01d6d3c9cc22926b0a4694d47c77886a9e5b58643d7dae394cf51c780d0341b6b4a253d2e52eab5ceee84f69930fc125
SHA1 hash:	6fe22be92274b39ae3f9d8038839eac9c998c156
MD5 hash:	4ec6690cda3dea826ac307b3d2461f0e
humanhash:	black-apart-king-nuts
File name:	Scan Payment 32.xll
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	648'192 bytes
First seen:	2022-02-23 12:13:24 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep	12288:Q0Ws7IMsR4yVld8bzbBSrexBY4ZyrE7K3yl8PeVooA/AB2LEJZxfAQPUqj7:Q0bskX1BBY4ZyrE7K3yl8PeVooA/AB2k
Threatray	46 similar samples on MalwareBazaar
TLSH	T12DD46D55BECA6EA1EFBF47B78361DA2D1126736D03A0A6CF6603019D3951FC2453EA03
Reporter	abuse_ch
Tags:	RedLineStealer xll

Intelligence

File Origin

# of uploads :

1

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Generic-9939833-0

SecuriteInfo.com.Trojan.DownloaderNET.312.27193.19952.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/d724eef097700915a348d42dcfa0255e3edb3c644cf8740fd052cddab2c81b54/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware packed packed

Link:

https://www.filescan.io/uploads/62162512ac8ad0468b6b7d43/reports/4bd3b82e-afed-4ebe-bf0b-7973aa97f162/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d724eef097700915a348d42dcfa0255e3edb3c644cf8740fd052cddab2c81b54/

Threat name:

ByteCode-MSIL.Trojan.XllDownloader

Status:

Malicious

First seen:

2022-02-23 12:14:14 UTC

File Type:

PE (Dll)

Extracted files:

2

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=24so54exoaerli2i2qw47ibfly7nwpdejt4hid6qklg5vmwidnka._file

Verdict:

unknown

Similar samples:

0c2a4483319382571e9b470d292d0b4bdd4e7e700ff5722a979e4498c147693f

12b746c0b5556ef44be803c0ebb7dbfccbacd3a4f8df1b783d4730a311209cdd

1bf8c12c3dadffb6d0b9dfbebd78a15bed670640830c0f41369ea6137c2aeb1d

4a9683f3b6658f4895cd3d44c4920d77db5dfd410cf0dc188e4f4d2740c24539

727f124333294aaba156840955cbfc6ac7470768c65c1582c5e0dbfcb6f8722f

864b3cc362f84975007a63ae6f7fa6b4bdcc06f4459195896ebee385443ed44a

9b682330445e8eb6445cc43968e21ae3ffe1b9d8c3ae5210c9a8d12416315d5d

bf3529c3d7d27a23db406da1cae1ab04e4b0c5b14de4aa69d5bb11166e1e5c1f

c61b6512d455398c2ff7fa4450c488e7eaeb8aacc01f732d8204ae302e2cc868

dcb880afbaa7e57f574b4e08595ef2c1ac7100a695359c1edc9af535d7f9e64f

+ 36 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer spyware

Link:

https://tria.ge/reports/220223-pebq8saaa9/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Process spawned unexpected child process

RedLine

RedLine Payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d724eef097700915a348d42dcfa0255e3edb3c644cf8740fd052cddab2c81b54

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample