MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 710250c8a9e4c2b1acfcab83188ea1345e4d04cb339d67e5295b828d356a994b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 710250c8a9e4c2b1acfcab83188ea1345e4d04cb339d67e5295b828d356a994b
SHA3-384 hash: 79dd3045585fb5788880199ce03a0b7694e4b71fb36290ef0e7342690a943aee4944a705c8373194a5675cd775eaeb35
SHA1 hash: a6bfcef1113b41fa198d36954d49201356425a64
MD5 hash: e3325ffcce03b435d074871efa9994f9
humanhash: stream-lithium-virginia-virginia
File name:eFile Pay.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:455'168 bytes
First seen:2022-11-15 07:20:30 UTC
Last seen:2022-11-15 08:45:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d24535d6f8c9f542b87ccfe280ca0ce9 (6 x Amadey, 6 x RedLineStealer, 3 x CoinMiner)
ssdeep 6144:dMX/C475vOBW9ujAXw34/EB68Y/78frEVo7lV6fz4wom5Wi/q24DEH:dK9FOIvXA4/QGYfCEwx5Rtr
Threatray 12'705 similar samples on MalwareBazaar
TLSH T18AA402937640C433E51944784871CAF22A2BFC6ED9BA5B8B7A557B4EBE323C26135307
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4200221292a22a32 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
147.124.217.241:33086

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
eFile Pay.exe
Verdict:
Malicious activity
Analysis date:
2022-11-15 07:21:08 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/bd4b68b8-07fb-42dc-abcf-f355f66ad791

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/334104/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.13514.25387.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63733dde07c3f5e84a01384c/reports/266bbbce-e71d-4a53-a5b4-50cc2896fd06/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c427d53-c766-463b-a700-f55657ace922
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1113559
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/710250c8a9e4c2b1acfcab83188ea1345e4d04cb339d67e5295b828d356a994b/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-11-15 06:39:43 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
25 of 40 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oebfbsfj4tbldlh4vobrrdvbgrpe2bglgoowpzjjlobi2nlktffq._file
Verdict:
malicious
Similar samples:
1c55adb95dc08245fd1d6dc89049db7eb4c3d668762a087dc04a81b189b2fae7
RedLineStealer
4eb2ed0c5a97c02116bdb6531fda7c742a3a64d7fa2a15938b0e9f42a7ba7b2d
RedLineStealer
85245aa479744025f0b3582703dff74aa5e13b28704b011d21a9ec8a443f8516
RedLineStealer
8f098d3db473a169c44697130f8af8d54d2cef231d17fb384fe5a2b2ccff6715
RedLineStealer
aa891955e5f2c58875ad0e8548d04108521d86a41dc1521af27ab8a61409f2a3
RedLineStealer
c33fa13197e5809c4dbf29cc449ee30fdef4ca1274be4c20b7ba5f25f9d5af96
RedLineStealer
f812053df67f2eea6dddc1b190a7fded0a430a7b0f243cb292716f0ba6ef1940
RedLineStealer
+ 12'695 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:free discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221115-h6nfsafd87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
147.124.217.241:33086
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/32b4cdd3-2db4-4c13-a5a2-e0e6c14c279f
Unpacked files
SH256 hash:
bc34cf90397bf6b3adbfe8a42316a8dbcc1693af7f0ada0f68ddf18c3a37816a
MD5 hash:
d089f2033549c541992464d5d6cad548
SHA1 hash:
f609fffe453d4d261d1cb8b99265e53b3d7bcd97
Link:
https://www.unpac.me/results/68be85d1-956f-4f32-bec6-a691e55fe0b2/
SH256 hash:
f58a694139c840161e2b90c2921cfed003c701c46a583d8e6ffe036eacd2458c
MD5 hash:
5bd6b90958ddd0e90ecf9228d81c7bc1
SHA1 hash:
2492bd9989fa13a5275bc1f9587052c571cda37a
Link:
https://www.unpac.me/results/68be85d1-956f-4f32-bec6-a691e55fe0b2/
SH256 hash:
6821e624781715fe09ebbc2d9be469e472e8b648ab9461329d4f6ba1713c0063
MD5 hash:
dc51fdae12161757c3daaac33bf0a55e
SHA1 hash:
1cc12497cad0c752fbf0a703a6493379b805f217
Link:
https://www.unpac.me/results/68be85d1-956f-4f32-bec6-a691e55fe0b2/
SH256 hash:
7d7d03eb0d82b8cb087dda36bcd0b9cf25e28a0c7ce1d39929fcd4036c6bd527
MD5 hash:
a3b3ed626b6fa9847fa1507de8376672
SHA1 hash:
0c63c6ab73e9eb4d3c769a47997b1dafd63c6ed9
Link:
https://www.unpac.me/results/68be85d1-956f-4f32-bec6-a691e55fe0b2/
SH256 hash:
710250c8a9e4c2b1acfcab83188ea1345e4d04cb339d67e5295b828d356a994b
MD5 hash:
e3325ffcce03b435d074871efa9994f9
SHA1 hash:
a6bfcef1113b41fa198d36954d49201356425a64
Link:
https://www.unpac.me/results/68be85d1-956f-4f32-bec6-a691e55fe0b2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/710250c8a9e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/710250c8a9e4c2b1acfcab83188ea1345e4d04cb339d67e5295b828d356a994b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/334104/

Comments