MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ebc7e1ea9ff210ff6cc6afc7ce54daa1b172fad5ff272f9e3243b80021ab73f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ebc7e1ea9ff210ff6cc6afc7ce54daa1b172fad5ff272f9e3243b80021ab73f
SHA3-384 hash: f365d0435ae3ffe6cf4e6124e6c81df2dc48349477628d5d083af802cf54eccf7ad786b6383c5aa61146ebeecd927bc7
SHA1 hash: a6e732bc3fe5a1d6d1f8a4e4033922309b0c2b59
MD5 hash: cabd1c84cae82b88dc69dae85c57570e
humanhash: edward-spring-oscar-vermont
File name:cabd1c84cae82b88dc69dae85c57570e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:379'904 bytes
First seen:2021-09-14 13:22:38 UTC
Last seen:2021-09-14 13:57:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24cd254e67d6db3867cbce493d437194 (2 x DanaBot, 2 x RaccoonStealer, 1 x DCRat)
ssdeep 6144:EXODViRatmg5vjbSWH9yQm85pPr2xfNUTn39zSRAEJVcmhT:fO8PvjbSbQmopPrZTn3tSuEJVTh
Threatray 4'845 similar samples on MalwareBazaar
TLSH T11C84BF30BBE0C039E5B711F855BA97B8A62D79705F3091CB22D51AED0A386E8DD30797
dhash icon e0e8e8e8aa62a499 (12 x RaccoonStealer, 9 x RedLineStealer, 7 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-14 13:13:20 UTC
Tags:
trojan rat redline loader evasion stealer vidar
Link:
https://app.any.run/tasks/84fc603e-e720-4829-9b14-e63258c89978

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187820/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.20687.13906.21945.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a service
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61750f7ddb358dd15ed92279/reports/08f0b833-ec60-4b71-b6d5-4bacb78a4c1d/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dce16358-9adf-47bc-beea-6cbcf0177ad9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850715
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ebc7e1ea9ff210ff6cc6afc7ce54daa1b172fad5ff272f9e3243b80021ab73f/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 13:23:16 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t26h4hvj74qq75wmnl6hzzknvinrol5nl7zhf6pdeq5yaaq2w47q._file
Verdict:
malicious
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
RedLineStealer
401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766
RedLineStealer
4029f8f49d060f47a5b543d85ec61bc676cb28d7eac52fe708e8ee5277e1d3c8
RedLineStealer
5b7865b9b1c270e09572cbe4de20f1a53fb9d47321e8690f2985e9786d89b169
RedLineStealer
847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa
RedLineStealer
912e8205fc8bcc3b22705ceb7ddf866db47398d7266ea60ca5da85044fb1c1d7
RedLineStealer
9e9a5392630865e8b66892cd096777695272a9bf4abdc0212b1a85c7358e588f
RedLineStealer
c033668e5a3c82e261b344df51117a1acca8a6eda9668c4fd854d5af8e6681a1
RedLineStealer
ff0f173ca6d27e16f34c5882e1ea4c56d723e502772dd015a67acae3306583ad
RedLineStealer
+ 4'835 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:norman1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210914-qmskdsagdl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.14.49.184:60921
Unpacked files
SH256 hash:
12b3e157cc84c5020cac286f19b8a2cd717cec043f5797167202fbc05a7ac7dd
MD5 hash:
8ef36f1c5881bc76be1c56c49acf8878
SHA1 hash:
e3db0f7d371bdff917411e60c229f62049e1be01
Link:
https://www.unpac.me/results/9d4e6b2e-a3be-4d4d-a362-1dc0afb70903/
SH256 hash:
b9d2a7261f25755a8a4caa1a29c8b309b6a6c3996515057362a2d24978483de2
MD5 hash:
4bd447a5fcff614aa5e64586efb9fd2f
SHA1 hash:
4f748e018682363bf9f295d12adcdbd02eb094bc
Link:
https://www.unpac.me/results/9d4e6b2e-a3be-4d4d-a362-1dc0afb70903/
SH256 hash:
5b978aeea9256ada12fd8904acc55b183f500dab41af96964e0ff403e4c34f28
MD5 hash:
3b4776ed4370961e071369ddef94f388
SHA1 hash:
2fc522051b795065f64187a109508919edbcc325
Link:
https://www.unpac.me/results/9d4e6b2e-a3be-4d4d-a362-1dc0afb70903/
SH256 hash:
9ebc7e1ea9ff210ff6cc6afc7ce54daa1b172fad5ff272f9e3243b80021ab73f
MD5 hash:
cabd1c84cae82b88dc69dae85c57570e
SHA1 hash:
a6e732bc3fe5a1d6d1f8a4e4033922309b0c2b59
Link:
https://www.unpac.me/results/9d4e6b2e-a3be-4d4d-a362-1dc0afb70903/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9ebc7e1ea9ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ebc7e1ea9ff210ff6cc6afc7ce54daa1b172fad5ff272f9e3243b80021ab73f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9ebc7e1ea9ff210ff6cc6afc7ce54daa1b172fad5ff272f9e3243b80021ab73f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187820/
  
URLhaus
https://urlhaus.abuse.ch/url/1550115/

Comments


Avatar
zbet commented on 2021-09-14 13:22:40 UTC

url : hxxp://37.0.10.214/WW/file6.exe