MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ea3a592c2d7a1ffa8b037e369a8572d59ce9264d97b3029e96b7ec2b3580313. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ea3a592c2d7a1ffa8b037e369a8572d59ce9264d97b3029e96b7ec2b3580313
SHA3-384 hash: 646c72a7210f3b67646314c24f3febc7b54850792858832fc72577f17ff7c48e9aab3808f891215154a64fe50279e48e
SHA1 hash: a70ecda2fbd18fb24a59f1781c221418f61c5eed
MD5 hash: 7558a54d489cf94ca3653cc7dec87d4d
humanhash: maine-lemon-ten-sierra
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'133'824 bytes
First seen:2022-11-09 21:37:04 UTC
Last seen:2022-11-09 23:52:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e045c920c82e7a05da4487cce2e427b2 (12 x RedLineStealer)
ssdeep 98304:aXzP/iB0lJEamz+nwmUFojjpgrXtOPL1cfmACYHa:23r6amiwmUF+jSrXQPpcbCYHa
Threatray 15'379 similar samples on MalwareBazaar
TLSH T1203633B9C9F098DFC89050F1935185EE7C079A4EA5E12CB236C62F83FA74913E2DD994
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon bd78e0ebf2faee64 (1 x DBatLoader, 1 x RedLineStealer)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-09 21:37:40 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/469fec3d-cbd0-48c6-aa51-9052add8949a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331452/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.30715.26814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636c1dbb7662ecf108397ddb/reports/38bf71b9-c3cf-496c-99e7-d43bd366756c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8ebc9a59-aba4-4578-9cfe-c2177b586538
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109850
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ea3a592c2d7a1ffa8b037e369a8572d59ce9264d97b3029e96b7ec2b3580313/
Threat name:
Win32.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 10:58:35 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2r2lewc26q77kfqg7rwtkcxfvm45ete3f5takpjnn7mfm2yamjq._file
Verdict:
malicious
Similar samples:
0fddeb14acea742a808d10f5c6da7f411ea92e44f5e85b39cb8e9cf5e104a0ae
RedLineStealer
116eda3dadde2f047613ac43093e0b808a783713acd49e63d26674a63ab537f7
RedLineStealer
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
RedLineStealer
28a4fc89b3ecdce491137e550252749c41c1ab97cebfb5241b8910de6aeb11fe
RedLineStealer
4c2fbcef3f39e0358e1be767031312acb1d40a99d9dddddb779c1d458c302e4c
RedLineStealer
51e0e7e4fe62c83990f3f6d6e276f8bed4fd4a0cb8c50eb69fff6d57368e7d11
RedLineStealer
5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030
RedLineStealer
df8082a0727341606afda10b167324b33efd4b4f98f468f53d74b3588257c754
RedLineStealer
+ 15'369 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:julik discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/221109-1g2k8aeafk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine payload
Malware Config
C2 Extraction:
109.107.191.169:34067
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/75571b74-8da6-4edb-a992-20c17b78eafe
Unpacked files
SH256 hash:
f17facdaaeeb4c2c1c17157767832271fde01ff48481d792ae54513757a425ba
MD5 hash:
48238060b76822812beb11f65d8b48e6
SHA1 hash:
aa30c6b683bb0157846f8646f52f1f44803c4549
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/dbd9be46-9620-44dc-b29f-ebaafc52f674/
SH256 hash:
7b136f87b919bbfefd1ff74ea333c77dffd3681d7a74ab5056c2ad16af7d503b
MD5 hash:
25368f0a95d6b934bdc043f109902afb
SHA1 hash:
97df7472803957aec9d6b356ab1dc359e5c7f7a4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/dbd9be46-9620-44dc-b29f-ebaafc52f674/
SH256 hash:
dbfa66f6ce6e845606cb24bf51a55c859fdc1d88eaae3119d069d5fc52ea8d8c
MD5 hash:
7e31d7b68895d4a07e88c2b016e525d8
SHA1 hash:
b48e3416410ef87cbc355ca88c5c37a58f29dc59
Link:
https://www.unpac.me/results/dbd9be46-9620-44dc-b29f-ebaafc52f674/
SH256 hash:
5ea3a592c2d7a1ffa8b037e369a8572d59ce9264d97b3029e96b7ec2b3580313
MD5 hash:
7558a54d489cf94ca3653cc7dec87d4d
SHA1 hash:
a70ecda2fbd18fb24a59f1781c221418f61c5eed
Link:
https://www.unpac.me/results/dbd9be46-9620-44dc-b29f-ebaafc52f674/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ea3a592c2d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/5ea3a592c2d7a1ffa8b037e369a8572d59ce9264d97b3029e96b7ec2b3580313

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5ea3a592c2d7a1ffa8b037e369a8572d59ce9264d97b3029e96b7ec2b3580313

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2404089/
Cape
Cape
https://www.capesandbox.com/analysis/331452/

Comments