MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17c9de3887c482af3a7902e7e6e2247bf1b03d1819508f03557afbeae7c18e90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17c9de3887c482af3a7902e7e6e2247bf1b03d1819508f03557afbeae7c18e90
SHA3-384 hash: b97059df9f3284df40f588e56d55f3435495fb203609c5734a024bc2c1b4b401b39556aa986ce5ea9683a0655dd0d899
SHA1 hash: 5662ba03040600bd9512e6f03048ed2efaea75ea
MD5 hash: 3272af9cde2f592a5c12a1079e9b8411
humanhash: green-yellow-october-apart
File name:3272af9cde2f592a5c12a1079e9b8411
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:105'984 bytes
First seen:2021-06-22 19:08:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:dHj7fHZ3Z124z5jGuX/GMxLfR+BsLD3KZqx3/:dD7f5xFGuX/GWfIBmD6Zy
Threatray 496 similar samples on MalwareBazaar
TLSH C9A3E08E33A432EFC466C1B29D651D606B29A857132BCAAB748701DD9D6C782CF245F3
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Celeste_2.exe
Verdict:
Malicious activity
Analysis date:
2021-06-13 05:00:53 UTC
Tags:
loader trojan rat redline
Link:
https://app.any.run/tasks/60f9a862-7359-4d86-889e-e939abfd76b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167672/
Detection(s):
Win.Packed.Redline-9871569-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86ca35d5-79de-47f1-ba0b-8a4c359e484c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/806225
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17c9de3887c482af3a7902e7e6e2247bf1b03d1819508f03557afbeae7c18e90/
Threat name:
ByteCode-MSIL.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 06:48:24 UTC
AV detection:
31 of 45 (68.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7e54oehysbk6otzalt6nyreppy3apiydfii6a2vpl56vz6br2ia._file
Verdict:
malicious
Similar samples:
1720e03faab70e324d64b586f3ddbdb1a48169dd54d3e477c4a73a7e6d27ce97
RedLineStealer
2738373f0b008beb61553747e56cb623befa5e44a43b322cc4b74e7508ec24cb
RedLineStealer
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
RedLineStealer
4affde0906145b59b617833571ec9ee44d87eb82c4f159a6ead5fd0a49fdc5db
RedLineStealer
5576e6d2bde0df49ee885579d495ccacc2f3a21b45c512224f4180f96c0672b8
RedLineStealer
5677b9d1528c45370a17cd4b68fc443862d4304ef1bca005c369c8c1d9158a62
RedLineStealer
b38276257c15d7c08d18479f37681b9a5bdc720d1e767010b82bebb0fb00038d
RedLineStealer
c7d8d4db5e3b3e5138ec47d758454b7bb0bb418a8cbb7f00dc1ee2211c92716d
RedLineStealer
e2bb30a8cc27e2d95a89ed4656c4f3af6f6be8772494f3ad6b64893412b86f1e
RedLineStealer
f93f28f9a2d3fd6de1862806f61d41a50d6ba76bae3a5e2e0fcdc3a495530eca
RedLineStealer
+ 486 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@onyxxx1 infostealer
Link:
https://tria.ge/reports/210622-mtyytywsy6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.81.227.32:22625
Unpacked files
SH256 hash:
cb23d856b94a9a8e75944c4ac7b81752880a619e22f84993ba87c3369689357c
MD5 hash:
c749bf058c0ad0d82bc8ee466ad2a486
SHA1 hash:
320df74978de70831d70d35953b04a90fadaa3af
Link:
https://www.unpac.me/results/5de3a4a1-201b-481d-95db-e413c8fffbe3/
SH256 hash:
17c9de3887c482af3a7902e7e6e2247bf1b03d1819508f03557afbeae7c18e90
MD5 hash:
3272af9cde2f592a5c12a1079e9b8411
SHA1 hash:
5662ba03040600bd9512e6f03048ed2efaea75ea
Link:
https://www.unpac.me/results/5de3a4a1-201b-481d-95db-e413c8fffbe3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17c9de3887c482af3a7902e7e6e2247bf1b03d1819508f03557afbeae7c18e90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 17c9de3887c482af3a7902e7e6e2247bf1b03d1819508f03557afbeae7c18e90

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1389247/
Cape
Cape
https://www.capesandbox.com/analysis/167672/

Comments