MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e0abf93a5b5e789f549c22f12f3c8442fc08aa63d7e1a70978e0f42f563418d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	2e0abf93a5b5e789f549c22f12f3c8442fc08aa63d7e1a70978e0f42f563418d
SHA3-384 hash:	19e872fdd58990aa5124e3edd1b54d49cdfa0bb43791098916e0b4fb5087782c798a06831460101ee584b591692db5f9
SHA1 hash:	b50a68c7f999e9f0c5de7df7b73a0cb2da2ce970
MD5 hash:	e172ba4157323a85e397e762eb370bce
humanhash:	lamp-eighteen-vegan-autumn
File name:	e172ba4157323a85e397e762eb370bce.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	407'040 bytes
First seen:	2021-11-03 20:21:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e024db68009cf7f32dd817cae1867bf3 (6 x RedLineStealer, 2 x AZORult, 2 x RaccoonStealer)
ssdeep	6144:GgkXZ4Uk5oZo9kVc9PFrZO52jBaFgE/9xmt8+0sprDZ:GXGUkN9dO4jBaFgEbmt8dsB
TLSH	T11084BF00E7A1C034F1B212F84A769269B53F7EA1AB3980CF12D516EE5B789E1EC71357
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e172ba4157323a85e397e762eb370bce.exe

Verdict:

Malicious activity

Analysis date:

2021-11-03 20:38:01 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/ae02c392-fea6-48e8-8baa-12d548133763

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/202072/

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6182ef72bf51178dbe4d9193/reports/65756e54-8503-4a16-a809-f44711778c83/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/026bf0d3-5a6c-44db-a88f-b52b6f95dc80

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/882606

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e0abf93a5b5e789f549c22f12f3c8442fc08aa63d7e1a70978e0f42f563418d/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-11-03 09:27:44 UTC

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udptest discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211103-y5klhacaeq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.56.146.64:65441

Unpacked files

SH256 hash:

eb67a388dba708c47989e862e85a12233448649d905f222c2874b17af1932eb1

MD5 hash:

2f514191d8a8850e51255cd54e96de2d

SHA1 hash:

8305d1b1bee5e7cc01087363e182b7adb3a39800

Link:

https://www.unpac.me/results/1873c8ab-e878-408d-8473-64bcebd807e1/

SH256 hash:

e1ae7e2b33b3dc036f12fac7f372134090935de29d453fdc0c838db5288340ab

MD5 hash:

c1108718dcfb2b7a752e2c4c1e27659d

SHA1 hash:

59c7c4ca474af49a7fc77e58da554f02f9d68191

Link:

https://www.unpac.me/results/1873c8ab-e878-408d-8473-64bcebd807e1/

SH256 hash:

a3016b6e5863c9b51ef7616c7bb720c2a2dc4b4ff545af47aabc8ad82b5dc45c

MD5 hash:

988bab2529a6b385e407ba8ef050dc51

SHA1 hash:

3851cb15de623f44d62581e970ab183d8ed4769c

Link:

https://www.unpac.me/results/1873c8ab-e878-408d-8473-64bcebd807e1/

SH256 hash:

2e0abf93a5b5e789f549c22f12f3c8442fc08aa63d7e1a70978e0f42f563418d

MD5 hash:

e172ba4157323a85e397e762eb370bce

SHA1 hash:

b50a68c7f999e9f0c5de7df7b73a0cb2da2ce970

Link:

https://www.unpac.me/results/1873c8ab-e878-408d-8473-64bcebd807e1/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2e0abf93a5b5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e0abf93a5b5e789f549c22f12f3c8442fc08aa63d7e1a70978e0f42f563418d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 2e0abf93a5b5e789f549c22f12f3c8442fc08aa63d7e1a70978e0f42f563418d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1582746/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/202072/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample