MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b
SHA3-384 hash: c5973052c13f6560ea5f216eb10e18f82eb8ccc26c146089bb120e670f164123f6cfc0f1c168097455b5fd00f5370947
SHA1 hash: e2ffe6da7f2c8c7fbac81ade6fa19262d9163d4a
MD5 hash: 7f7d127294ffc58543e0197866ba1371
humanhash: robert-pizza-mexico-sierra
File name:7f7d127294ffc58543e0197866ba1371.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:448'512 bytes
First seen:2023-05-11 15:55:39 UTC
Last seen:2023-05-13 22:45:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4062e3723fc172742e77f31966f99ab5 (2 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:FGrfLlAL3DNP9map9ylHRP5MrCVW4Tv3L9sOAq+V08ZeQh:wTpAL3DNPDctRPiCI4Tv5F+VZe
Threatray 47 similar samples on MalwareBazaar
TLSH T154947D2393E17C54F966CB729E2EC6ED762EF3504F19776A12149E1F04B02B2C263B19
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0004c18882b3a988 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.161.248.172:26464

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
7f7d127294ffc58543e0197866ba1371.exe
Verdict:
Malicious activity
Analysis date:
2023-05-11 15:58:16 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/9e60721b-78cb-4b2d-91f7-57014684a6b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388430/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/645d1013a2bbacddad9c24fc/reports/dea51d4f-edcf-46b2-8cca-d4f157919516/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1d84d4b-2be5-4574-86f5-194167f8c343
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1230899
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 15:36:54 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3dq3h4hmokldtpw5y4vqj4ivpq34q7e2ne4kl27lrbn7skcxnvq._file
Verdict:
malicious
Similar samples:
19f392a08f214c34acb374613826fbfe762a4eb638965f7bbba321835f3b705a
RedLineStealer
2b5c69b4bf95d349cf4e7b209f063222159f45aea240a47df2fcb1d0ca97647f
RedLineStealer
3c11dac0621f47c72e6a68d8530a2be70fa11a2cffc05d04344d49f2b837f3bc
RedLineStealer
48d77180cf874b0ca209ee99f37c36e98c9bc44fcdfa55ccd45039214987d800
RedLineStealer
4cfd6eb94c925a6f41c9c15d990fb5d5583ff0d39a52b54416ad6f53763930f3
RedLineStealer
6755c42c0b84482aed1334a662b8f834e16272a7330c5910b0f22c1d56828568
RedLineStealer
77db7cd9e4f2ac402a07827f41de516c2138fc7972a9cc76fe6eac392429283c
RedLineStealer
b1a75fc70d1fcfbeebb84ebedbaf6d934db49e4b9cc6d8e0f242681de028700c
RedLineStealer
cb1db618ce36feea3e333e74e920a76332340f0094fe777aba6d95d08c80743b
RedLineStealer
ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7
RedLineStealer
+ 37 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230511-tdcdlafe5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
d4d00f520fce70fd1d7538dca1440743f668dca3d45184e473256b2aa240d7fd
MD5 hash:
133f1768420900065334b7a408269d11
SHA1 hash:
94581fdad69cf8226aef684e4a9a07c3820dff3d
Link:
https://www.unpac.me/results/c0f47c27-b4bc-49fe-ae8e-84f8129a7e9c/
SH256 hash:
07c60097dfc103ee9963345cdfca59cd2a682fbfa12e3f58da2d5b24b72427b3
MD5 hash:
25914215cf818c1a73899646aa2af771
SHA1 hash:
7b670b856fca88e023270c909c0794e6d0b4238e
Link:
https://www.unpac.me/results/c0f47c27-b4bc-49fe-ae8e-84f8129a7e9c/
SH256 hash:
437803853952abbb177be7d4a8cc7f000347f2c71fb0470a7a55cff67c118bac
MD5 hash:
7bd013957c3753801948e38718efac75
SHA1 hash:
6047fc465336ea86492a376152197d35bde90feb
Link:
https://www.unpac.me/results/c0f47c27-b4bc-49fe-ae8e-84f8129a7e9c/
SH256 hash:
296f80857f91b57cc0b016568dd798b8131fb34127294bd7de2f6ce5fe59c359
MD5 hash:
317fd77b0f10bef6ad8d614f1ede4488
SHA1 hash:
235cd7cc1edd5b596fde380594cc7b5874f2420c
Link:
https://www.unpac.me/results/c0f47c27-b4bc-49fe-ae8e-84f8129a7e9c/
SH256 hash:
2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b
MD5 hash:
7f7d127294ffc58543e0197866ba1371
SHA1 hash:
e2ffe6da7f2c8c7fbac81ade6fa19262d9163d4a
Link:
https://www.unpac.me/results/c0f47c27-b4bc-49fe-ae8e-84f8129a7e9c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ec70d9f8763/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/388430/
  
URLhaus
https://urlhaus.abuse.ch/url/2630168/
  
Delivery method
Distributed via web download

Comments