MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eb37b1a65e93d5619e44bb3734b321c97f195a6d079386194a84a5a1617c2dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2eb37b1a65e93d5619e44bb3734b321c97f195a6d079386194a84a5a1617c2dc
SHA3-384 hash: cf34fd16d67723c9a5326cb1c4deac6afc11e4763a2bc63c5022b28560019fc4c3fc2d08edb793cb719f4b67eb4c9261
SHA1 hash: 8f15dcd5942b3afc42b3cbb1fed2869ebe5e106b
MD5 hash: 6997c18c233c36c25ef1ce1227da836f
humanhash: bulldog-beer-orange-diet
File name:6997c18c233c36c25ef1ce1227da836f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:25'600 bytes
First seen:2021-01-25 19:06:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:dt5i1KVw0GHjC8Px3EfWQaL2a8uk7Bj/Ys6vDGy0kxcCydZsH9VudESR:tVJGDVPx3Ef509k1rYsy0k+CE+HT8
Threatray 441 similar samples on MalwareBazaar
TLSH E2B2190973EE0135D5FE8BF181BAA5864070E2736902C75F54C8A19BE726DEB47533A3
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://93.114.128.69:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6997c18c233c36c25ef1ce1227da836f.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 19:07:40 UTC
Tags:
rat redline trojan stealer
Link:
https://app.any.run/tasks/0a316d14-970b-4072-bc75-2987a93bde25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113772/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a file
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/589858
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2eb37b1a65e93d5619e44bb3734b321c97f195a6d079386194a84a5a1617c2dc/
Threat name:
ByteCode-MSIL.Trojan.Spider
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 19:07:04 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2zxwgtf5e6vmgpejozxgszsdsl7dfng2b4tqymuvbffufqxyloa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
16e2f02323bffb1363b00f294c442412db60fa44d63b06cb0098949912d9c3e6
RedLineStealer
1e738345ff1e40f5931d8e2009894f9830a38443836fb9da19eec9498fe2901a
RedLineStealer
2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f
RedLineStealer
45c3f3af9f9d0c905dcb43df313ecf62364fa7cbab78236a3c049700556b1d63
RedLineStealer
61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b
RedLineStealer
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
RedLineStealer
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
RedLineStealer
bbc85a715451d8f29b7ca73395decea7accbaedec73a7f2a757b248cf7cc462b
RedLineStealer
dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68
RedLineStealer
f1f02609df5674a0ad67ce6d2bd2f07dd7616eb2995b07f31ae431a956036ae9
RedLineStealer
+ 431 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210125-v3fjwqy4ts/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Unpacked files
SH256 hash:
2eb37b1a65e93d5619e44bb3734b321c97f195a6d079386194a84a5a1617c2dc
MD5 hash:
6997c18c233c36c25ef1ce1227da836f
SHA1 hash:
8f15dcd5942b3afc42b3cbb1fed2869ebe5e106b
Link:
https://www.unpac.me/results/5a2f6268-e0c9-4ac9-a1d7-8c8a09f145b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/2eb37b1a65e93d5619e44bb3734b321c97f195a6d079386194a84a5a1617c2dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2eb37b1a65e93d5619e44bb3734b321c97f195a6d079386194a84a5a1617c2dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/959579/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113772/

Comments