MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eeaa4a0bcfc641d7f395c5a7d5ac15a8d50b18f8ef1ac3545c55c5679367228. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 10 File information Comments

SHA256 hash:	9eeaa4a0bcfc641d7f395c5a7d5ac15a8d50b18f8ef1ac3545c55c5679367228
SHA3-384 hash:	fa11e2a72f7c588988d2c55e972a34d7f0b7f44880bea66f72f01bec6b20c4d9ce0c407d0736b81ea54b00681c4931a4
SHA1 hash:	373bff8a86a336976bea0cd8ab86ff897984c872
MD5 hash:	2bd0394601a1a4006bc56efa2f405d25
humanhash:	floor-yankee-angel-november
File name:	2bd0394601a1a4006bc56efa2f405d25.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	898'032 bytes
First seen:	2021-05-03 19:56:00 UTC
Last seen:	2021-05-03 20:02:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	768:IMZabZ+J8L7/1AcXwvyfd/rUUektdCLs/l8Yx6eiLveJQV6yY0vA5ENbOm52aXEe:IMZg+J8vlBjN1Q+8iAT
Threatray	93 similar samples on MalwareBazaar
TLSH	EA154810B3D3D328F7D68DC5889430E76AE7FBF777B7CA965662006E0EB92412849709
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
94.140.115.158:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
94.140.115.158:80	https://threatfox.abuse.ch/ioc/28469/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/149055/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Sending a UDP request

Creating a file

DNS request

Connection attempt

Sending an HTTP POST request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Ficker Stealer RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/711600

Signature

.NET source code contains very large strings

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Ficker Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9eeaa4a0bcfc641d7f395c5a7d5ac15a8d50b18f8ef1ac3545c55c5679367228/

Threat name:

ByteCode-MSIL.Infostealer.Coins

Status:

Malicious

First seen:

2021-05-02 07:04:40 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t3vkjif47rsb27zzlrnh2wwblkgvbmmpr3y2ynkfyvofm6jwoiua._file

Verdict:

unknown

RedLineStealer

728beffcc4c6b9cab51ed5b4a459cc6f996ba0eb1a1e8c29f567de5701abcd91

RedLineStealer

7dc99e0fc03dc0936799d5328e864b67dd8c92d3ae90798cc542449e2f0d55da

RedLineStealer

abfd412e775e8a81efbd61484a67de9aed008c0e51910d9d8a9051c4ea9856b3

RedLineStealer

cde072db2b4374550769689ef072dba357436e36d2e75c1398d24896e0deaeb1

RedLineStealer

ddcf7dc656f8ac2165462e1099333cf3330717f0a90a2f44ed584c987b2a2326

RedLineStealer

e111f6f2fa1deba59df581d3c6ef269c3e3628b2649cb728e30092d8d30e258c

RedLineStealer

e8cac456b3e4a072d16142f0dd9f9b0500013cfefe7359e4293d4cff61f9eaf7

RedLineStealer

f3c279e61de77236f3390c91dee09f02aa01974e14e429426fa174e0ff8a7512

RedLineStealer

f5a3c92032bc45af8e374b619a5b6d046e6c3eadc83dc84595bffc4d6acab717

RedLineStealer

+ 83 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ftp infostealer

Link:

https://tria.ge/reports/210503-18ehl4kgxs/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Malware Config

C2 Extraction:

videdoshin.xyz:80

Unpacked files

SH256 hash:

ee0124a07be8a4fc5915b044a00856a40c0374c3ac7671b010926daa556d6b69

MD5 hash:

9fa603fc722c9295ca91f6f18b0a82c6

SHA1 hash:

ce039ada6a271a11a0fa64ae087c86e5179dae61

Link:

https://www.unpac.me/results/bdf9e1fe-4931-48ea-9fdd-1fa395da1742/

SH256 hash:

683d56e0b88c7f7d804b1236b46b6c9a30f3168cceb60c2e67b79bd2c311b8ae

MD5 hash:

e7874a16c7e873dd098ac0540280b3da

SHA1 hash:

09bb455607138f3dbbd8d8a7ec12bfc425060eae

Link:

https://www.unpac.me/results/bdf9e1fe-4931-48ea-9fdd-1fa395da1742/

SH256 hash:

9eeaa4a0bcfc641d7f395c5a7d5ac15a8d50b18f8ef1ac3545c55c5679367228

MD5 hash:

2bd0394601a1a4006bc56efa2f405d25

SHA1 hash:

373bff8a86a336976bea0cd8ab86ff897984c872

Link:

https://www.unpac.me/results/bdf9e1fe-4931-48ea-9fdd-1fa395da1742/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9eeaa4a0bcfc641d7f395c5a7d5ac15a8d50b18f8ef1ac3545c55c5679367228

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/149055/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample