MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments 1

SHA256 hash:	2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702
SHA3-384 hash:	5abc1982dd18a078e04cf16de5f8c9d1a497d244d08363a4c96126758b75fbe96ad4a1a0247722cf5d72f0693532fe9f
SHA1 hash:	c57031bc27359aa0b9df0b20802d3c6397c6bb44
MD5 hash:	dfd3e26bd236a40e8564764365d5a726
humanhash:	robert-lactose-michigan-single
File name:	dfd3e26bd236a40e8564764365d5a726
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	442'368 bytes
First seen:	2021-12-19 20:41:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9b5e0e93b958d7de96d2eb171562e213 (5 x ArkeiStealer, 4 x RedLineStealer, 3 x Smoke Loader)
ssdeep	12288:qBMuvys834Y6eX7lBV67lL3sZQ8ND8SX:Ls8IYfxBVSyQ8GS
Threatray	4'484 similar samples on MalwareBazaar
TLSH	T10E94BF00A6A0C035F2B316F85A79A3B9B53E7DE1AB2454CF62D43AEE56316D0EC31717
File icon (PE):
dhash icon	2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/215285/

Detection(s):

Win.Malware.Sabsik-9916500-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2637/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61bf991fec6c6c14a9e356c6/reports/5062fb1a-cec1-4909-9885-66c67beb4437/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6c03909c-be2a-49a0-b457-4891cac9999b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/909897

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2021-12-19 20:42:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f3wney7sztyqnk222qxnbo4mtapzaz5be46mggdmw4y2vsh3w4ba._file

Verdict:

malicious

RedLineStealer

535b5d8da976e181c1867639063a6a375601de451b46822ff37cd9f19bc82150

RedLineStealer

7eec09749966b69d9eb49acb8e2d50925b3a4cc26d3051dca1dbe91888ca21ad

RedLineStealer

a0900f66e0b67b27ae44d51c4b3fbe365741c3c3d265951bd72536aafe705932

RedLineStealer

c72d58f2ee5007430aac685459da0714396615aaeda68ff1ae5c8c0f9d9396cb

RedLineStealer

ebca21122d4ab9dbef25f95fa2d44e5e7ce4cc120e4cf788790bdeba5ad51d60

RedLineStealer

+ 4'474 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin infostealer

Link:

https://tria.ge/reports/211219-zg2qjshac7/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.29:26828

Unpacked files

SH256 hash:

c168005ed99a1ad9e1b58da3a66daa2a4a4ffe08dde1d994dc62356749fb65e1

MD5 hash:

ce8ca6f9d8b989183690e7a6cf124f33

SHA1 hash:

c5d3aa4389375841dac60cfbc486a075af52631e

Link:

https://www.unpac.me/results/1b7be606-1092-4b26-811e-9a8eab7aa11c/

SH256 hash:

d32f8e57191a72fc39c5db3ce6ba69d6bd3cfc56e81212807155cefa1f4a0d3a

MD5 hash:

b364f620818d47f1e0bfce918167da8e

SHA1 hash:

4b6bed4ea0100a037445636311bccc3482ec0f90

Link:

https://www.unpac.me/results/1b7be606-1092-4b26-811e-9a8eab7aa11c/

SH256 hash:

5e045820d88c6fb22de1cb1f85898b9c891f62e8a9bf55e39ac1f085f715cbc9

MD5 hash:

e6ce754be7fc44c782f55a857b45f035

SHA1 hash:

13c3c4c8401a46af5cdd0f3cab18908fde281afb

Link:

https://www.unpac.me/results/1b7be606-1092-4b26-811e-9a8eab7aa11c/

SH256 hash:

2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702

MD5 hash:

dfd3e26bd236a40e8564764365d5a726

SHA1 hash:

c57031bc27359aa0b9df0b20802d3c6397c6bb44

Link:

https://www.unpac.me/results/1b7be606-1092-4b26-811e-9a8eab7aa11c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2eecd263f2cc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.