MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f827f2bf1b408666b9065e18d72ddf4252007c3fcfd2aff38fff20eb5e6691f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f827f2bf1b408666b9065e18d72ddf4252007c3fcfd2aff38fff20eb5e6691f
SHA3-384 hash: f7d4b9ee2d316f34107d71c81c161223212eefc5e5f07bacf50c843129453d586a21c4811e2cdb0c7b89d674d3c70435
SHA1 hash: bfe355a8999cf445d3c8d5c758e6e6d883b05612
MD5 hash: e3afa27a7ec82b9c82b485996e9eb1e0
humanhash: twelve-oven-beryllium-california
File name:e3afa27a7ec82b9c82b485996e9eb1e0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:41'566'848 bytes
First seen:2025-02-13 07:38:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 786432:ysaDGUhB8O7L3WtPBgMIXAyJRxsgQEUpq/JRKMtLy1QQqgYySCEfnA62PiLPXTgU:4GqBBCPBOvJfsTEUpIJRz0QQ4fnh2PU1
Threatray 1'561 similar samples on MalwareBazaar
TLSH T12A97337C31A19866E0DA3A3C32DCA7E177B5F5104606077B86B4B2764F054532EECABE
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 2c5cb363d383458b (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
514
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
e3afa27a7ec82b9c82b485996e9eb1e0.exe
Verdict:
Malicious activity
Analysis date:
2025-02-13 07:42:55 UTC
Tags:
autoit stealer github rdp remote ms-smartcard rdpw tool redline
Link:
https://app.any.run/tasks/f4d3ace6-d546-464b-a11c-e9f4d9ce669a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ada1a928ab76d43a5aabb4
Tags:
valyria autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/67ada1a3633d73336287df09/reports/6b378bab-5328-46c9-bc20-01359716ff6d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/1f827f2bf1b408666b9065e18d72ddf4252007c3fcfd2aff38fff20eb5e6691f
Result
Verdict:
MALICIOUS
Result
Threat name:
RDPWrap Tool, RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614056
Signature
Adds a directory exclusion to Windows Defender
Adds a new user with administrator rights
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Add User to Remote Desktop Users Group
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected RDPWrap Tool
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614056 Sample: 3w1EBU1Eks.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 151 xvWJRyFfkQgWAsMzz.xvWJRyFfkQgWAsMzz 2->151 153 userauto.space 2->153 155 3 other IPs or domains 2->155 171 Found malware configuration 2->171 173 Malicious sample detected (through community Yara rule) 2->173 175 Antivirus detection for dropped file 2->175 177 13 other signatures 2->177 14 3w1EBU1Eks.exe 12 2->14         started        17 wscript.exe 2->17         started        20 wscript.exe 2->20         started        signatures3 process4 dnsIp5 217 Contains functionality to register a low level keyboard hook 14->217 23 cmd.exe 1 14->23         started        25 cmd.exe 1 14->25         started        143 C:\Users\user\AppData\...\SzbKtJcv.bat, DOS 17->143 dropped 219 Wscript starts Powershell (via cmd or directly) 17->219 221 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->221 28 cmd.exe 17->28         started        157 raw.githubusercontent.com 185.199.110.133, 443, 49709, 49712 FASTLYUS Netherlands 20->157 145 C:\Program Files\RDP Wrapper\rdpwrap.bat, exported 20->145 dropped 223 System process connects to network (likely due to code injection or exploit) 20->223 30 cmd.exe 20->30         started        file6 signatures7 process8 signatures9 32 cmd.exe 4 23->32         started        36 conhost.exe 23->36         started        199 Wscript starts Powershell (via cmd or directly) 25->199 201 Obfuscated command line found 25->201 203 Uses ping.exe to sleep 25->203 207 5 other signatures 25->207 38 conhost.exe 25->38         started        205 Adds a new user with administrator rights 28->205 40 cmd.exe 28->40         started        42 cmd.exe 28->42         started        44 net.exe 28->44         started        50 3 other processes 28->50 46 conhost.exe 30->46         started        48 fsutil.exe 30->48         started        process10 file11 129 C:\Users\user\AppData\Roaming\...\Tua.com, PE32 32->129 dropped 131 C:\Users\user\AppData\Roaming\...\Dimmi.com, PE32 32->131 dropped 133 C:\Users\user\AppData\...\Abbassando.com, PE32 32->133 dropped 161 Obfuscated command line found 32->161 163 Uses ping.exe to sleep 32->163 52 Abbassando.com 32->52         started        55 Tua.com 32->55         started        57 Dimmi.com 32->57         started        69 4 other processes 32->69 59 WMIC.exe 40->59         started        61 WMIC.exe 42->61         started        63 net1.exe 44->63         started        65 net1.exe 50->65         started        67 net1.exe 50->67         started        signatures12 process13 dnsIp14 179 Potential malicious VBS script found (suspicious strings) 52->179 181 Potential malicious VBS script found (has network functionality) 52->181 183 Found API chain indicative of sandbox detection 52->183 187 2 other signatures 52->187 72 Abbassando.com 52->72         started        75 Tua.com 1 55->75         started        185 Found evasive API chain (may stop execution after checking mutex) 57->185 78 Dimmi.com 57->78         started        159 127.0.0.1 unknown unknown 69->159 signatures15 process16 file17 195 Injects a PE file into a foreign processes 72->195 80 Abbassando.com 1 18 72->80         started        149 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 75->149 dropped 197 Writes to foreign memory regions 75->197 84 cscript.exe 75->84         started        86 RegAsm.exe 15 2 75->86         started        88 conhost.exe 75->88         started        90 Dimmi.com 78->90         started        signatures18 process19 file20 135 C:\Program Files\RDP Wrapper\RDPWInst.exe, PE32 80->135 dropped 137 C:\Users\user\AppData\Roaming\...\525.vbs, ASCII 80->137 dropped 139 C:\Users\user\AppData\Roaming\...\1160.vbs, Unicode 80->139 dropped 165 Modifies Windows Defender protection settings 80->165 167 Adds a directory exclusion to Windows Defender 80->167 92 cmd.exe 80->92         started        95 cmd.exe 80->95         started        97 cmd.exe 80->97         started        99 7 other processes 80->99 141 C:\Users\user\AppData\Roaming\...\IdP.dll, XML 84->141 dropped 169 Tries to harvest and steal browser information (history, passwords, etc) 90->169 signatures21 process22 signatures23 209 Wscript starts Powershell (via cmd or directly) 92->209 211 Adds a directory exclusion to Windows Defender 92->211 101 powershell.exe 92->101         started        104 conhost.exe 92->104         started        106 powershell.exe 95->106         started        108 conhost.exe 95->108         started        213 Modifies Windows Defender protection settings 97->213 110 powershell.exe 97->110         started        112 conhost.exe 97->112         started        215 Adds a new user with administrator rights 99->215 114 cscript.exe 99->114         started        117 powershell.exe 99->117         started        119 14 other processes 99->119 process24 file25 189 Loading BitLocker PowerShell Module 101->189 147 C:\Users\user\AppData\Roaming\...\997.vbs, ASCII 114->147 dropped 191 Potential malicious VBS script found (suspicious strings) 114->191 193 Potential malicious VBS script found (has network functionality) 114->193 121 WMIC.exe 119->121         started        123 WMIC.exe 119->123         started        125 net1.exe 119->125         started        127 net1.exe 119->127         started        signatures26 process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1f827f2bf1b408666b9065e18d72ddf4252007c3fcfd2aff38fff20eb5e6691f
Gathering data
Threat name:
Win32.Trojan.Sesfix
Create hunting rule
Status:
Malicious
First seen:
2025-02-08 15:25:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6bh6k7rwqegm24qmxqy24w56qssab6d7t6sv7zy77za5npgnepq._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
rdpwrap
Create hunting rule
Similar samples:
1f827f2bf1b408666b9065e18d72ddf4252007c3fcfd2aff38fff20eb5e6691f
RedLineStealer
2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
RedLineStealer
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
RedLineStealer
561a8b830e902a0ba18457a0aa8db8a8c663de8ee33e6009f236cedff00f8cbb
RedLineStealer
70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc
RedLineStealer
7817a0794693ad5eaffdc86ca9d8cf7350f9159433d376840e9f6cb6b9c60edc
RedLineStealer
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
RedLineStealer
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
RedLineStealer
d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14
RedLineStealer
e4c860ba85358041e3ca90b9b94f10499392e4c6db71bd13c59fa8559e2b848b
RedLineStealer
error
RedLineStealer
+ 1'551 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ads5 defense_evasion discovery execution infostealer lateral_movement persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250213-jg24bavmgr/
Behaviour
Delays execution with timeout.exe
Runs net.exe
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Hide Artifacts: Hidden Users
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Password Policy Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies RDP port number used by Windows
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
userauto.space:80
Verdict:
Malicious
Tags:
Win.Malware.Drivepack-9884589-1
YARA:
n/a
Link:
https://app.threat.zone/submission/bc64f856-d4eb-4178-b37e-c28278bf929a
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f827f2bf1b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f827f2bf1b408666b9065e18d72ddf4252007c3fcfd2aff38fff20eb5e6691f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments