MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 298dd8f445bfe48f599cb038dbc28524aedbde52747b1d611bbc39fc9799ee60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 298dd8f445bfe48f599cb038dbc28524aedbde52747b1d611bbc39fc9799ee60
SHA3-384 hash: e91ba94f9b9a8fcea53ad2687076503e0ced50b8ed7610c45eb43be8db1554ec6e8dbc103520b8a07abc304d6933b6c0
SHA1 hash: 15c3e6b4f6816c6b250797cc9369c6e81f4f4f46
MD5 hash: e17713dbd050978f12b8130bbcc7c2e6
humanhash: bluebird-william-mike-twelve
File name:E17713DBD050978F12B8130BBCC7C2E6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:555'999 bytes
First seen:2021-07-24 03:21:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:rfAv6B8azBwdkdrdHGVLHBzy6+ZvO+DEXXgK+:7k6+c2dOdW+ZXEny
Threatray 807 similar samples on MalwareBazaar
TLSH T1E7C4D002F5838472D522C5310A29A7717BFCBE201EE48A5FB7CC6D6DD9724D17B21AA3
dhash icon b4b269e4e4c68038 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://18.184.50.127:6677/IRemotePanel

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://18.184.50.127:6677/IRemotePanel https://threatfox.abuse.ch/ioc/162656/
18.184.50.127:6677 https://threatfox.abuse.ch/ioc/162657/

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E17713DBD050978F12B8130BBCC7C2E6.exe
Verdict:
Malicious activity
Analysis date:
2021-07-24 03:22:42 UTC
Tags:
trojan rat redline evasion stealer
Link:
https://app.any.run/tasks/c4de1d8d-ba30-43f2-8efd-fb43fc956095

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173811/
Detection(s):
Win.Malware.Generic-9874383-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.31721986.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d94a1de6-5c74-40ec-9b24-c87a582bf5e6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821135
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Found malware configuration
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453546 Sample: 8UoyPawEhs.exe Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected RedLine Stealer 2->52 54 3 other signatures 2->54 12 8UoyPawEhs.exe 5 2->12         started        process3 file4 40 C:\Koksadd\Koksad.sfx.exe, PE32 12->40 dropped 15 cmd.exe 1 12->15         started        process5 process6 17 Koksad.sfx.exe 12 15->17         started        20 conhost.exe 15->20         started        file7 38 C:\Users\user\AppData\Local\...\Koksad.exe, PE32 17->38 dropped 22 Koksad.exe 15 5 17->22         started        process8 dnsIp9 42 www.geoplugin.net 22->42 44 geoplugin.net 178.237.33.50, 49723, 80 ATOM86-ASATOM86NL Netherlands 22->44 46 5 other IPs or domains 22->46 56 Antivirus detection for dropped file 22->56 58 Multi AV Scanner detection for dropped file 22->58 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->60 62 4 other signatures 22->62 26 cmd.exe 1 22->26         started        signatures10 process11 process12 28 taskkill.exe 1 26->28         started        30 conhost.exe 26->30         started        32 choice.exe 1 26->32         started        process13 34 MpCmdRun.exe 1 28->34         started        process14 36 conhost.exe 34->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/298dd8f445bfe48f599cb038dbc28524aedbde52747b1d611bbc39fc9799ee60/
Threat name:
ByteCode-MSIL.Infostealer.Gaborone
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 01:19:00 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgg5r5cfx7si6wm4wa4nxqufesxnxxssor5r2yi3xq47zf4z5zqa._file
Verdict:
malicious
Similar samples:
0edb9b65eac66a632e3e44c385ee861d360ee50e84e314c855bcf01aa9933c50
RedLineStealer
13979361d20b6c7184a7d3a8e5454782162a4ab734d2f9a01ed8421aeea5eee9
RedLineStealer
452d3d97689e5c5fcfdb2cad360b5768fbb7fedd07166e4e5131844196d4ddb0
RedLineStealer
4e41b23135ccd630532e143f5b6d41ae6d050b284fceaef1ef959e2414cf7c9a
RedLineStealer
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
RedLineStealer
a4c57df59f0c85eebcb7b40263d8c3de037f41b7d2d43b6d34e7baf72a2e1448
RedLineStealer
b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de
RedLineStealer
c7962bac550ffe20ff69bbcecea355ea9689fa1e76506d3d8343f1b1f5619706
RedLineStealer
dc8ddcd4db035fa647001a01cab6a2866d092fcaad18279835751ee0396da041
RedLineStealer
+ 797 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210724-7gbglzvvj6/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
298dd8f445bfe48f599cb038dbc28524aedbde52747b1d611bbc39fc9799ee60
MD5 hash:
e17713dbd050978f12b8130bbcc7c2e6
SHA1 hash:
15c3e6b4f6816c6b250797cc9369c6e81f4f4f46
Link:
https://www.unpac.me/results/5dca974a-fda0-417a-a9c8-4c109b6c7115/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/298dd8f445bfe48f599cb038dbc28524aedbde52747b1d611bbc39fc9799ee60

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173811/

Comments