MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc708c22acda37fb50cea6d603cb794852d8311349970461b178ff66dedccc0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	fc708c22acda37fb50cea6d603cb794852d8311349970461b178ff66dedccc0b
SHA3-384 hash:	6e45837c972e1542c169a96017997f59649aec1fc8d510e4e954facb0851707d582bbc7651963bbec3f42614ff070503
SHA1 hash:	0fb009f9cc8a82c31f31a78f5ed11bd84cec97b3
MD5 hash:	cbe30f7bff71640a9c3421adb13e5e82
humanhash:	neptune-blossom-beer-muppet
File name:	fc708c22acda37fb50cea6d603cb794852d8311349970461b178ff66dedccc0b
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'492'880 bytes
First seen:	2022-11-24 05:26:36 UTC
Last seen:	2022-11-24 06:28:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e8369ab868ac98ab415f776fed0bb5b0 (1 x RedLineStealer)
ssdeep	98304:09ENOVKAD83t83o4HtaADJIItAte0exO7baEv3JSew4HqetOXfacKq:ZNxY3o4Z0eCWO3oewiKXfJ
Threatray	74 similar samples on MalwareBazaar
TLSH	T1164623735A75010AC0E8DC398A377DE431F746AF8646AC79E9AE79C239724A1E743C43
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	ce4ee2e19999e1e2 (1 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe Logitech Z-708 Template GIT RedLineStealer signed

Code Signing Certificate

Organisation:	Logitech Z-708 Template GIT
Issuer:	Logitech Z-708 Template GIT
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-11-22T16:12:54Z
Valid to:	2032-11-23T16:12:54Z
Serial number:	6ef2dafe55f9978e4689f39416055f55
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	5e883f6b22e7c443f468fe84cf3def1ca5175a897a48816c1cc716b4703e3f18
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

fc708c22acda37fb50cea6d603cb794852d8311349970461b178ff66dedccc0b

Verdict:

Malicious activity

Analysis date:

2022-11-24 05:29:04 UTC

Tags:

evasion trojan rat redline amadey stealer vidar loader opendir sinkhole

Link:

https://app.any.run/tasks/ec988d56-053d-4639-80e1-b1a562582674

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337928/

Detection(s):

SecuriteInfo.com.Win32.InjectorX-gen.19142.20897.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the Windows subdirectories

Сreating synchronization primitives

Modifying a system file

DNS request

Replacing files

Launching a service

Launching a process

Sending a custom TCP request

Sending a UDP request

Forced system process termination

Blocking the Windows Defender launch

Adding exclusions to Windows Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/637f00a894f9bac087b33240/reports/fd101284-fdef-471f-b29f-52d371e05e8e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a4dc5544-841a-494b-925b-ebba48cd8725

Result

Threat name:

PrivateLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1120293

Signature

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Modifies Group Policy settings

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected PrivateLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc708c22acda37fb50cea6d603cb794852d8311349970461b178ff66dedccc0b/

Threat name:

Win32.Spyware.Mufila

Status:

Malicious

First seen:

2022-11-23 18:39:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ryiyivm3i37wugou3lahs3zjbjnqmitjglqiynrpd7wnxw4zqfq._file

Verdict:

malicious

RedLineStealer

6077006507c8ccc3461cf85493c75bb77efb973387666f1e3e25ca07801ff481

RedLineStealer

71976a8939fca900ea30249c75dc1f462bebf2d9bac2e9900679c59bf2ad00c8

RedLineStealer

c5b4ef6efd9f7da867cceb90761c47c62e882bce0cc20ca88f5f73fb7308c01c

RedLineStealer

c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32

RedLineStealer

d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c

RedLineStealer

fd3f9ee2a7b4e35be97140818562dc4470f90705cbd959e87c07ed983692e33d

RedLineStealer

+ 64 additional samples on MalwareBazaar

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader spyware stealer

Link:

https://tria.ge/reports/221124-f5eq5sbg98/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Drops file in System32 directory

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

PrivateLoader

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f32b2a22-8846-4859-a408-1811feec19b7

Unpacked files

SH256 hash:

a55bf453f5c8b7d7ab1154696617897b17485dc2fb70a015ea3b794f4f8614b6

MD5 hash:

28cedc75ee38fb9e3f1b81390fbabf12

SHA1 hash:

76bf69906a0ee00874b79c89bdc2cc3a1412c84e

Detections:

PrivateLoader

win_privateloader_w0

win_privateloader_a0

Link:

https://www.unpac.me/results/daee7388-2b62-4e2c-8c5d-cf6ff9f97bc0/

SH256 hash:

fc708c22acda37fb50cea6d603cb794852d8311349970461b178ff66dedccc0b

MD5 hash:

cbe30f7bff71640a9c3421adb13e5e82

SHA1 hash:

0fb009f9cc8a82c31f31a78f5ed11bd84cec97b3

Link:

https://www.unpac.me/results/daee7388-2b62-4e2c-8c5d-cf6ff9f97bc0/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fc708c22acda/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fc708c22acda37fb50cea6d603cb794852d8311349970461b178ff66dedccc0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/337928/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample