MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0eacfcddb54670cb6b1585e554d4bd26bb7f74d5b0728b1679b117f49b349743. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	0eacfcddb54670cb6b1585e554d4bd26bb7f74d5b0728b1679b117f49b349743
SHA3-384 hash:	d33d3b3ac80c43eddba5bd05d311a72d8e740455e8ba766c3695472a56dd119873903533bbcc93066fc86a6c19e90133
SHA1 hash:	a811e4936c9965d452fea56c0e50e0349b9b7878
MD5 hash:	ea82729c16f0066b15d6ecf7600e9069
humanhash:	snake-angel-edward-friend
File name:	ea82729c16f0066b15d6ecf7600e9069.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	340'648 bytes
First seen:	2021-09-25 09:37:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9b494192bab1e0e5f914d8f6d610f95a (7 x RaccoonStealer, 1 x Glupteba, 1 x ArkeiStealer)
ssdeep	6144:WNZQiiWzV62WOFzFJvOkwDLkqHTnalC9mvewVvASX0Y6c8esu:UZVzV67OJvOj08naUmvewVvtVNFsu
Threatray	5'354 similar samples on MalwareBazaar
TLSH	T15874BE20BAA0C031F5F716F815B583B8A93E7AB16B3480CB52D656ED27347E4AC31797
File icon (PE):
dhash icon	3113557179157789 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
80.87.192.249:16640

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
80.87.192.249:16640	https://threatfox.abuse.ch/ioc/226452/

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ea82729c16f0066b15d6ecf7600e9069.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 09:43:55 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/352558a6-c570-4b3a-8693-62c49615352b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191456/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.23220.18891.UNOFFICIAL

Win.Malware.Raccoon-9894356-1

Win.Packed.Fragtor-9895216-0

Win.Packed.Fragtor-9895222-0

Win.Malware.Fragtor-9895451-0

Win.Malware.Fragtor-9895683-0

Win.Packed.Fragtor-9895692-0

Win.Malware.Fragtor-9895773-0

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/90cf74f7-e2af-4d0a-8531-3ff3d14f9e1d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/857903

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0eacfcddb54670cb6b1585e554d4bd26bb7f74d5b0728b1679b117f49b349743/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-20 01:09:54 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b2wpzxnvizymw2yvqxsvjvf5e25x65gvwbziwftzwel7jgzus5bq._file

Verdict:

malicious

RedLineStealer

2fd3207bf2afd0fcebb92faa05afe1d40f54a49f374bdfe84556e1c418d16e37

RedLineStealer

383f147b7eb4c815bc9def993cff994da41c7395092ceedd3c22d10e130b8c15

RedLineStealer

4396ca0aae315ad2bba765753f85606a95e5309acde75f3577d93b282f35aba4

RedLineStealer

60595b6c6de942a30a61cb02b27b2dfec3cb76ee4751a68b8d92feefda02f78e

RedLineStealer

9d686b9d3079d7d07fd1bd2c49c0bdc6c9a6c64e5688b2e550f7ca161d78bebc

RedLineStealer

a008bb0729de684e5924e241190f6ac3d3fcc780cc409449a594e4fb9a1e8bed

RedLineStealer

bc622f5729f264d9943fdbfda5bacb5f8654c7bbbeada1a58da252434dee4f1f

RedLineStealer

d2dfee39028d2344853119ef7834b34f6138c822adf1ab05d5adc1634f141528

RedLineStealer

dc628ccba76f61f9e7ba2d4a5fd87cfb8f83769f8a03ff452c70c5c62eefa482

RedLineStealer

+ 5'344 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:2 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210925-ll38aaahcr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

80.87.192.249:16640

Unpacked files

SH256 hash:

a2ff10e0568df7a62caaf5a19981dd0e88c2325056ffdf268daf58df1e9644c1

MD5 hash:

5bfdac8c7169ccb5f6f3bc52da9a91ed

SHA1 hash:

d3edc93f8e4da83163f814f3c99ec41484480a4c

Link:

https://www.unpac.me/results/161f7d80-65e2-4106-91f1-5d6744d04995/

SH256 hash:

0fe6290010b63b124188c14cf38f0406a9dbf7496afabe687d4e3eeec600df23

MD5 hash:

fd4f9efb04464d149c3ace53c110e0f4

SHA1 hash:

9ea9bd0679b139d9a7d747f0f6a13c6191b06567

Link:

https://www.unpac.me/results/161f7d80-65e2-4106-91f1-5d6744d04995/

SH256 hash:

bbc53e129ffcc33b3c9749c808c7d21366e382708e7b90489dcc5241dc04fd27

MD5 hash:

31e4db2a19a304ee2693d242e9837f29

SHA1 hash:

8a2b50b7733a2a9c7ae4628e728ee9cbd27fb8e3

Link:

https://www.unpac.me/results/161f7d80-65e2-4106-91f1-5d6744d04995/

SH256 hash:

0eacfcddb54670cb6b1585e554d4bd26bb7f74d5b0728b1679b117f49b349743

MD5 hash:

ea82729c16f0066b15d6ecf7600e9069

SHA1 hash:

a811e4936c9965d452fea56c0e50e0349b9b7878

Link:

https://www.unpac.me/results/161f7d80-65e2-4106-91f1-5d6744d04995/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0eacfcddb546/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0eacfcddb54670cb6b1585e554d4bd26bb7f74d5b0728b1679b117f49b349743

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191456/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample