MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d5a9009545155455d1a54cfb1b2ac8439048efb7608f8a17608820452eee60b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d5a9009545155455d1a54cfb1b2ac8439048efb7608f8a17608820452eee60b
SHA3-384 hash: c9ce66dd707d5046d0b53f00f5b3c13309bd8af9f8ec32c76e757f1b681b293329f8990a567b0703a13e81d39888f31f
SHA1 hash: 9cfb7e88e093f3288574faba2b24f475eff157ac
MD5 hash: e2b025b09e74f407f821f00b691a07bd
humanhash: papa-winter-kansas-oven
File name:e2b025b09e74f407f821f00b691a07bd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:364'032 bytes
First seen:2021-12-11 08:36:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40946eb7f18ff06bd788849825e1d2cd (2 x RedLineStealer, 1 x CryptBot, 1 x RaccoonStealer)
ssdeep 6144:WAHLkq7/xjfb9yv280Y5hx4Z1buzbgwu6L7ITsqSigaTwVfr:NHFdjfs+x8xaxunnn7s
Threatray 1'153 similar samples on MalwareBazaar
TLSH T11374D0F126ED8572D0533E304825A7A19B2BBD52EA20D206FA34674E1F73BDC45E235E
File icon (PE):PE icon
dhash icon 1ee2d83c6cb8f24e (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://ad-postback.biz/stats/save.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ad-postback.biz/stats/save.php https://threatfox.abuse.ch/ioc/274488/

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e2b025b09e74f407f821f00b691a07bd.exe
Verdict:
Malicious activity
Analysis date:
2021-12-11 08:38:55 UTC
Tags:
trojan evasion rat redline stealer
Link:
https://app.any.run/tasks/8a4d900a-ecda-4a82-86b2-33239aa7bd4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213295/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.13471.16832.14792.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1619/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm exploit greyware lockbit packed
Link:
https://www.filescan.io/uploads/61b46332fa72c81b5b180612/reports/93042330-708d-4a9f-802b-6c19da64c2b5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee32efba-7bcf-4565-ab50-d731f41428c3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/905664
Signature
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d5a9009545155455d1a54cfb1b2ac8439048efb7608f8a17608820452eee60b/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-12-08 20:11:56 UTC
File Type:
PE (Exe)
Extracted files:
82
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvnjackukfkukxi2kth3dmvmqq4qjdx3oyeprilwbcbaiuxo4yfq._file
Verdict:
malicious
Similar samples:
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
RedLineStealer
1d72c0d76801a1f047049dd202dd380af90f3e31d6801b1e7a5bc3c3e1d711d2
RedLineStealer
55bea97718d10ad6dde683d1316015e4ed475558d725ee34858b15ce8b434afb
RedLineStealer
7be418280356c7dc0384328a50904f3cee364185aa7f99e127e511461cd6db5c
RedLineStealer
b05798eab2bd214db04037519c3d5271e9602980123b594c8b579f5581d4efdd
RedLineStealer
e34fc70bee3b2e9051e1115f1053aec2bbd3555a8d71600e90890662ea718ff1
RedLineStealer
fe3ae99417e0d632995ad5ceeccc4c0b308b8a30d2c93031f15837b607b8552b
RedLineStealer
+ 1'143 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/211211-kh6nkaccdk/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
Unpacked files
SH256 hash:
1f3329e2454dda3b180889ee5ca94a89ba5d73c140ae92452f052f412c7047db
MD5 hash:
ac9c80f3662c0d9c9777815ea7f5365a
SHA1 hash:
10993f81aac724bdd4f9f27693a0722fb2e83d3b
Link:
https://www.unpac.me/results/26576a32-4e7a-4f0a-a460-4248edaf57af/
SH256 hash:
7d5a9009545155455d1a54cfb1b2ac8439048efb7608f8a17608820452eee60b
MD5 hash:
e2b025b09e74f407f821f00b691a07bd
SHA1 hash:
9cfb7e88e093f3288574faba2b24f475eff157ac
Link:
https://www.unpac.me/results/26576a32-4e7a-4f0a-a460-4248edaf57af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d5a9009545155455d1a54cfb1b2ac8439048efb7608f8a17608820452eee60b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_onlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects onlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/213295/

Comments