MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e8df369f52ab139c4b57a7136df48e8e9c5ee476435eda8d7b6f08d430ef903. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	2e8df369f52ab139c4b57a7136df48e8e9c5ee476435eda8d7b6f08d430ef903
SHA3-384 hash:	1ba92acf341fe0641bbfe7b5d2c58f42574f0eb3310cdbe4c3856ca30b1745440ede524782992977330ef540e880f508
SHA1 hash:	c0f0e7d4260e5ad601a3775cb278e2c3e0488855
MD5 hash:	e9e2f8cec0b391651a2989aa7968da28
humanhash:	jupiter-diet-monkey-papa
File name:	e9e2f8cec0b391651a2989aa7968da28.bin
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	732'672 bytes
First seen:	2023-03-01 18:08:08 UTC
Last seen:	2023-03-01 19:34:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:ZvgQNODKe/eIhJdQFlzynZim5OpzvruB2ZEl3brF3ekpVHJQYvNqH2OMmXnOnI:SDN/eIhkUEW2CrRVH+Y1m1
Threatray	345 similar samples on MalwareBazaar
TLSH	T110F4A32F69C681E1C5C8C831F3FA40FD54F54A7F1A55A3B706A403E8EF5222A76526E3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	bin exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

e9e2f8cec0b391651a2989aa7968da28.bin

Verdict:

Malicious activity

Analysis date:

2023-03-01 18:10:21 UTC

Tags:

redline rat

Link:

https://app.any.run/tasks/2a4d3d38-94b4-4587-bfb8-66176362f12f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/370857/

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.21213.30036.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63ff94bf03b144271569b584/reports/d669780a-b93e-458e-8c25-98683833dc2e/overview

Verdict:

Malicious

Labled as:

MSIL/Kryptik_AGeneric.AKM trojan

Link:

https://www.hybrid-analysis.com/sample/2e8df369f52ab139c4b57a7136df48e8e9c5ee476435eda8d7b6f08d430ef903

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/371ec6dd-c4e1-48e7-834d-77d742a1bd0d

Result

Threat name:

DarkTortilla, RedLine

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1185085

Signature

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Snort IDS alert for network traffic

Yara detected DarkTortilla Crypter

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e8df369f52ab139c4b57a7136df48e8e9c5ee476435eda8d7b6f08d430ef903/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-03-01 18:09:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 39 (38.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f2g7g2pvfkyttrfvpjytnx2i5du4l3shmq263kgxw3yi2qyo7ebq._file

Verdict:

malicious

RedLineStealer

1331d10811b5b02f55f7a6fa0e957543c2c2ea5c9817518f97905b6038dfed93

RedLineStealer

48e5254ba169afae1d8738c988a7c00c34f12f452f28a7f19c4ed34ae0014d73

RedLineStealer

4dc43e28a0587cac34a92bf41308483f0b29f9a10f5bad041a72bd84386c2199

RedLineStealer

57faf10d8b88aa01b650deba123db2ab0823b541044fb8e6585a2bfc319f9a4f

RedLineStealer

5b448efa26739f46016d83c4d735822880e2ff5288d191c99c545666f04ba356

RedLineStealer

7b63a593d3daeb1dcbd92382a310cf88798ce82cd4d33c0d14b85ff30a85e20a

RedLineStealer

ca10c218c7ed12f56148c11d31a0698c8d232064faba12402c16b70f7e34bf55

RedLineStealer

fc11c7743ee5d510bb52732f41f0ba40be8da3be2d820cf91a0774d575f11434

RedLineStealer

fcb68c665d4639bacb89984706b5c2bbea6633e9c6f4d7639c468e553e45f47d

RedLineStealer

+ 335 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

spyware

Link:

https://tria.ge/reports/230301-wrfpaaha4v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Unpacked files

SH256 hash:

2e8df369f52ab139c4b57a7136df48e8e9c5ee476435eda8d7b6f08d430ef903

MD5 hash:

e9e2f8cec0b391651a2989aa7968da28

SHA1 hash:

c0f0e7d4260e5ad601a3775cb278e2c3e0488855

Link:

https://www.unpac.me/results/6156331b-e362-44d3-85c9-a51d43d3ae3e/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2e8df369f52a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/2e8df369f52ab139c4b57a7136df48e8e9c5ee476435eda8d7b6f08d430ef903

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/370857/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample