MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 11 File information Comments

SHA256 hash:	f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be
SHA3-384 hash:	41c9bbb024e23b889fc00a9cbd66147c5009003c219ee643a13f43ea3d1e4b0e367356a78af440edabb302d2b1676da6
SHA1 hash:	69d5c88ceb1c2a01db7f33bd98aeca34ae91144a
MD5 hash:	834a71badc84386bc9079f7836a78cb9
humanhash:	thirteen-eighteen-shade-crazy
File name:	POP_Swift_Copy_MTC78362-N70002.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'214'400 bytes
First seen:	2025-03-24 12:19:32 UTC
Last seen:	2025-03-24 12:21:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	49152:5s0c++OCvkGs9Fau9jhNJjkPi6CC9BQYw63YeDmg27RnWGj:aB3vkJ99jhN+PiLC9BQuzD527BWG
Threatray	78 similar samples on MalwareBazaar
TLSH	T16FA5F12273DDC360CB669173BF6AB7056EBF3C614A30B95B2F880D7DA960161162C763
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	adrian__luca
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

416

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

POP_Swift_Copy_MTC78362-N70002.exe

Verdict:

Malicious activity

Analysis date:

2025-03-25 07:05:49 UTC

Tags:

m0yv evasion stealer redline metastealer exfiltration smtp ultravnc rmm-tool agenttesla

Link:

https://app.any.run/tasks/823d8c9b-8e3b-479a-a71c-ef42531b9eac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Expiro-1.UNOFFICIAL

SecuriteInfo.com.Win32.Expiro-2.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e24ba8bb84e066269ed845

Tags:

redline autoit expiro emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Modifying an executable file

Creating a window

Launching a service

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Modifying a system executable file

Launching a process

Connection attempt to an infection source

Loading a system driver

Modifying a system file

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun for a service

Query of malicious DNS domain

Enabling autorun with the shell\open\command registry branches

Forced shutdown of a system process

Unauthorized injection to a recently created process

Infecting executable files

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script crossrider evasive expiro fingerprint keylogger lolbin microsoft_visual_cc packed packed packer_detected pcalua virus virut

Link:

https://www.filescan.io/uploads/67e14e19a08e28b31da06142/reports/260f8d05-a483-4b5a-96c1-9c194cc9f692/overview

Verdict:

Malicious

Labled as:

Expiro.Generic

Link:

https://www.hybrid-analysis.com/sample/f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be

Result

Verdict:

MALICIOUS

Result

Threat name:

AgentTesla, PureLog Stealer, RedLine

Detection:

malicious

Classification:

spre.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1647045

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be/

Threat name:

Win32.Virus.Expiro

Status:

Malicious

First seen:

2025-03-18 09:00:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6nml744gecoqewzy326bbinfff5mtaijt2zpojhbj7i5xpa4s67a._file

Verdict:

malicious

Label(s):

expiro

unc_loader_036

RedLineStealer

3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745

RedLineStealer

5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796

RedLineStealer

829026e0d6a6f73f3328bb4aabd5f0e3f063f000cd9d860c051b307e148395d5

RedLineStealer

8ddfda62decd6de3185b1ec3bebe067a20a124a39f8483afa9bbc47b3f3d0c09

RedLineStealer

b336830d627101633db934f8d48606639c70d133a5985026bc250c035e887faf

RedLineStealer

cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583

RedLineStealer

error

RedLineStealer

ff3bcc4bc70f9e6724fcc0fb36c4f57cc5956136850bd39c9581413f7c4688a9

RedLineStealer

+ 68 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:agenttesla family:redline botnet:success discovery infostealer keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250324-phy1yaztct/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Agenttesla family

RedLine

RedLine payload

Redline family

Malware Config

C2 Extraction:

204.10.161.147:7082

Verdict:

Malicious

Tags:

trojan expiro

YARA:

Windows_Virus_Expiro_84e99ff0 SUSP_Imphash_Mar23_3

Link:

https://app.threat.zone/submission/bcfaca48-05f6-462b-9881-e26d31226a86

Unpacked files

SH256 hash:

f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be

MD5 hash:

834a71badc84386bc9079f7836a78cb9

SHA1 hash:

69d5c88ceb1c2a01db7f33bd98aeca34ae91144a

Link:

https://www.unpac.me/results/c7110d85-2275-4f51-b0e6-5de415d8478c/

SH256 hash:

ed18517f2d86e33931cc08a0e88d71465c95aea86c9f57286b564f93fe624ac8

MD5 hash:

9879f080b1dcec72bf26176c78971b52

SHA1 hash:

486590f380e0095d1a8090c5149ad6f9b5a29f47

Detections:

AutoIT_Compiled

SUSP_Imphash_Mar23_3

Link:

https://www.unpac.me/results/c7110d85-2275-4f51-b0e6-5de415d8478c/

SH256 hash:

c9e0fcfa64a2b401ca566de783fd7568e09936b544188f824d7cd029a8324f06

MD5 hash:

f49351dbeb32150fb1dcfe43aa196071

SHA1 hash:

474026cac18e49cc8b1c909f328412e4528f1b96

Detections:

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/c7110d85-2275-4f51-b0e6-5de415d8478c/

SH256 hash:

2760698d19a0b6116266cd39e449401b3c26a64dc7f01817145aabcf40c0d9ad

MD5 hash:

a67092f7508c50e55d740f6fb83cbd6b

SHA1 hash:

2e02b31b5931122465ca1ae30a09c5cfbfd8c991

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

RedLine_Campaign_June2021

Link:

https://www.unpac.me/results/c7110d85-2275-4f51-b0e6-5de415d8478c/

SH256 hash:

f07a706c0554ed9363bd396dd49f788a0df232caf0af01161d831a12b95d964d

MD5 hash:

209b15fade618af5831e6e2528a4fedc

SHA1 hash:

2efc49db01f3df2c1cd0a528c75e466a9478b698

Detections:

redline

MALWARE_Win_MetaStealer

Link:

https://www.unpac.me/results/c7110d85-2275-4f51-b0e6-5de415d8478c/

Parent samples :

4d693b4dd287f3aba462951d56f00aac4432794d3b489dfa93ffd17dbf40edc3
8e8b85ca1b4d5b6d629c758ec683a2530e54fc57e51d273e07e5d4f6f016dc72
f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be
d9a96e9b62e5b913df31e846590ce1e0443a43eeec2d0f091e60d82e44f7aa92
24d9992ff5374362ef6cf3bc9bb327901547099700c43214adfc1d1e7a71a694
76b7a6c453c0e7ff462c2e4e5968707191841c1625086f23fb684d58ac5a40ec
54a728dbac9d9338a6ce84720d8a113c8c9305cdb407cc030fdc0f626802f10b
097aac287a75711189c318b90a29d89ff06b50ecbcbda001e66c34d395cca3fe
a48800d7b18541d4375e24bfede8beb941e55bc2c5d996553425bc3c52c0f0a9
712177390e5c001579f04f887e88dfe49c62233cbc8ec0ccafb0b334d5cbc177

SH256 hash:

2386f8b71f47befd0dc493b373333a04735749dedc4a12240e47ea5930f85184

MD5 hash:

3edff8f7a6912d8e716903174487b77f

SHA1 hash:

5a5c01a933218192bea3da11b6f5d01601b7723c

Detections:

win_agent_tesla_g2

AgentTesla

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/c7110d85-2275-4f51-b0e6-5de415d8478c/

Parent samples :

f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be
24d9992ff5374362ef6cf3bc9bb327901547099700c43214adfc1d1e7a71a694
097aac287a75711189c318b90a29d89ff06b50ecbcbda001e66c34d395cca3fe
712177390e5c001579f04f887e88dfe49c62233cbc8ec0ccafb0b334d5cbc177
ddf3d262ae602c8a518988831fcda60dd9d30145784db33fb579f55467bb40bc
95075ecbdcd1ff294433ceeb45d7bb3d24e94857620dba98b5f6b08250cff811
75934fdad79b792f5cc60a639e5e2ee4de473d9b5fb53dee501449aa5d11140e
48b13dc5d6a66402760e4101ab8f097e12383743f4091b5701aa18f5a248afac
952ed34f5838937752d2c3615faa9cf753358986bcef6df8aba9bcbe59b4e657
b8068c2cc437cde14517e2b16aaefc85f9911678499e956cf7f57bea0c6a0f20
8fd04789c93f96715ffe402e0f9423e5a6c5b16a79a0a8988444e2f1d326555e

SH256 hash:

aa5d4e19eda89886df4e7876b0600a502f41c6347bd9c8f7536f2c11d4468768

MD5 hash:

22b23de33fad71e620f66872784c7379

SHA1 hash:

6213fc5f02f0f1f2086a7a35da1508bb66f1a12c

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/c7110d85-2275-4f51-b0e6-5de415d8478c/

SH256 hash:

abdd6f31a909b0b10e30ced74a1f6f037adf1f61a8a842048dbc254d6f076169

MD5 hash:

c33a7f0e25bb3f4d3c19fc8441e9d12b

SHA1 hash:

0286b277e97b9f7c217a0d029e8144f8e20b40b9

Link:

https://www.unpac.me/results/c7110d85-2275-4f51-b0e6-5de415d8478c/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f358bff38620/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Generic_Threat_ebf62328 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Virus_Expiro_84e99ff0 Create hunting rule
Author:	Elastic Security

Rule name:	win_m0yv_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

exe f358bff386209d025b38debc10a1a5297ac981099eb2f724e14fd1dbbc1c97be

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample