MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7ea710ceb6d4c02a068bd0401b6510c44756ad410d2bf656c061699e238cef7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7ea710ceb6d4c02a068bd0401b6510c44756ad410d2bf656c061699e238cef7
SHA3-384 hash: 86250226fcbb5f741cea30b1671491c3738172b1c09746c62d6e4857fd29787fc0f75f168c62631e4139d2dcb591f53f
SHA1 hash: e369890c925ec0fd9035f1c4945687ed9d0bcbd6
MD5 hash: bc6f4099025d6db07f5b02263373669a
humanhash: red-nine-nebraska-apart
File name:bc6f4099025d6db07f5b02263373669a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'112'576 bytes
First seen:2021-11-11 08:24:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:FEQivgFr6XM6oyar0Mzjokr6dX4QRaigrCc9f+OszQRuOEWhO95g/YBPeBG2FUSB:5iE59fMOEXKGWO
Threatray 2'466 similar samples on MalwareBazaar
TLSH T15C35AB1C587FF05970A2E9D2D9DC55BA8B8951E3148C7C3EF0A162274FF3B46AACB025
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204933/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.972-1.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618cd360a00afa9663a3cb41/reports/dc56d4b6-e9a3-41eb-abc0-6e3a7d9e92b4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a109bd78-1f5d-446c-8fcf-1a8e982690b2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/887334
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7ea710ceb6d4c02a068bd0401b6510c44756ad410d2bf656c061699e238cef7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 17:22:07 UTC
AV detection:
20 of 44 (45.45%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
RedLineStealer
219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75
RedLineStealer
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
RedLineStealer
2da5e33b3e0a7bf86bbd2e28d6214b10c835d98ebebd0eb1e0f35c195613dc94
RedLineStealer
353e6fb7120943459ed2a7e9f51370d22cf7d20cd459e83ac483f5ce3d37d7fb
RedLineStealer
5e988e57c8c5c3e4d7afe95f4c8f0d9fabf80d54ad6070868772b856e2e749ad
RedLineStealer
73d7def516f13281fd06673ef3b5b87eb99ba4f708dbfa78a11bf0de94b23df1
RedLineStealer
777c3247006fe2a81472de7916225585926e34ed5bf1a3f4d4564320706c283b
RedLineStealer
+ 2'456 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/211111-kbamjsgafl/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
176.123.9.192:27934
Unpacked files
SH256 hash:
a6f689d330f1332027c1f1f47aba83f3cf2799d3fc31b23979565fbc58710a25
MD5 hash:
7d3aa1464ae35148bd1e9324da275dfe
SHA1 hash:
af8d4c3350c08dbfd423a14a6e7b3574bc7da31e
Link:
https://www.unpac.me/results/21eff99c-1624-467c-8064-41dc82635027/
SH256 hash:
e7ea710ceb6d4c02a068bd0401b6510c44756ad410d2bf656c061699e238cef7
MD5 hash:
bc6f4099025d6db07f5b02263373669a
SHA1 hash:
e369890c925ec0fd9035f1c4945687ed9d0bcbd6
Link:
https://www.unpac.me/results/21eff99c-1624-467c-8064-41dc82635027/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e7ea710ceb6d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/e7ea710ceb6d4c02a068bd0401b6510c44756ad410d2bf656c061699e238cef7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e7ea710ceb6d4c02a068bd0401b6510c44756ad410d2bf656c061699e238cef7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/204933/
  
URLhaus
https://urlhaus.abuse.ch/url/1775919/

Comments


Avatar
zbet commented on 2021-11-11 08:24:13 UTC

url : hxxp://host-host-file6.com/files/3692_1636556145_8677.exe