MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19f1ea56c297f5839edbdea6e8022ad6e9aabc66a44542ed8e3462f7ac762068. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19f1ea56c297f5839edbdea6e8022ad6e9aabc66a44542ed8e3462f7ac762068
SHA3-384 hash: b1d3cb4462627a4474f107ce3d642a2654ffddf8cc1bcdda156a458c5b00d803c9f1dbb72fcb28406442409683014e0c
SHA1 hash: 04cb3f41c0576f62fbc7d469d2ab437306a86876
MD5 hash: 3b920515f814e95ab45e8975ab91b50c
humanhash: lemon-comet-sweet-rugby
File name:eReceipt.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:459'264 bytes
First seen:2022-11-24 20:20:21 UTC
Last seen:2022-11-24 21:30:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a0f5eee1a1d8df02fd40c6cf3174a3d (6 x Smoke Loader, 3 x RedLineStealer, 2 x Amadey)
ssdeep 12288:9zhnWjtxkuHS3tLORhjzd+CpRh/i1OseN:9gtiaSAdTFmC
Threatray 5'928 similar samples on MalwareBazaar
TLSH T13DA4122272D0D472C1AA54306E34FAA07BFEB9321975C55B3798267E0FA02D29733767
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f2ceaca6b2968eb0 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
104.37.172.154:40564

Intelligence

File Origin
# of uploads :
2
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
eReceipt.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 20:23:15 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/46218c34-c6fe-409f-a607-0279c7a23789

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/338195/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.32678.1878.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/637fd2305be128ac718eb2ab/reports/4a457397-d63d-460b-8587-088762349274/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5094c78-dc78-4257-84e5-03c0541165b6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120735
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19f1ea56c297f5839edbdea6e8022ad6e9aabc66a44542ed8e3462f7ac762068/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 20:21:10 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dhy6uvwcs72yhhw332toqark23u2vpdgurcuf3mogrrppldwebua._file
Verdict:
malicious
Similar samples:
00f012914ab9215fdfb36097ffb415f01561b2289eabefab4057d3d175ea025d
RedLineStealer
0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e
RedLineStealer
41c6c378abbfa0b9b387b64c89f7c00785921c7d37f1c19c35d5b472a203163a
RedLineStealer
49e4eb7458946b065eccf54804896b3c575b1661fe8bde38987214086be5ce2d
RedLineStealer
49f412c22d9944bbc1948cd41574d0856a12a7884600298ce129d1ffed5bf6dc
RedLineStealer
884b73f88d5b30892c7cc1e60d8208d8cf14e5d1f2bebc6e58d7ba2ee31a634e
RedLineStealer
9db991fdef3df8cc988860aae951bbf165ea6625fa655729ecc2625bef9293c1
RedLineStealer
fe78f33d95685da99587ab8ae53ac39415d615bafe733a91585ba465123787f9
RedLineStealer
+ 5'918 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ereceipt discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221124-y4zzssbb61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
104.37.172.154:40564
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57fdd8a8-6291-4448-921d-c3f8ae5da385
Unpacked files
SH256 hash:
0d318475e093773cf6a24ff4c03c5e1ee538e3e6751c858d7e4f74ad66814c19
MD5 hash:
f67d9a8e0685453d02d7766ff8c4daad
SHA1 hash:
fbf31ffaaf5423da2f1a654bee11a7a7acdc1ef9
Link:
https://www.unpac.me/results/c9a05df2-f3e6-4a60-acc8-f643fb59548f/
SH256 hash:
256d477821b35337f3274111de29072379336adea6660a682773829c7cfc0bf5
MD5 hash:
3a3fb028701d10871140f1796ede301c
SHA1 hash:
8948acac8e07b413fdafcec471d659aae213d638
Link:
https://www.unpac.me/results/c9a05df2-f3e6-4a60-acc8-f643fb59548f/
SH256 hash:
0f54c0f40d020454b4eff9bb1f39dd3f962d943c5a54b551c46986b84268ca95
MD5 hash:
b7dd67521c675312951d67fa99407655
SHA1 hash:
53f0c978c243ae19525e3c7e3a7130477c9622b3
Link:
https://www.unpac.me/results/c9a05df2-f3e6-4a60-acc8-f643fb59548f/
SH256 hash:
c79bab43d247aac619c6af184179023727b66f07905454e9c73d1fb8080967ab
MD5 hash:
3ec1432fce728f6f8c0024fd921a6487
SHA1 hash:
390dbe3c2ca925b65abf180ee8b514b2bb3b947d
Link:
https://www.unpac.me/results/c9a05df2-f3e6-4a60-acc8-f643fb59548f/
SH256 hash:
19f1ea56c297f5839edbdea6e8022ad6e9aabc66a44542ed8e3462f7ac762068
MD5 hash:
3b920515f814e95ab45e8975ab91b50c
SHA1 hash:
04cb3f41c0576f62fbc7d469d2ab437306a86876
Link:
https://www.unpac.me/results/c9a05df2-f3e6-4a60-acc8-f643fb59548f/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19f1ea56c297/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19f1ea56c297f5839edbdea6e8022ad6e9aabc66a44542ed8e3462f7ac762068

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/338195/

Comments