MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce6ebaabe86af1f46e1b41caa619bceff86cb6adb25970f2be869b059aa0ab2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce6ebaabe86af1f46e1b41caa619bceff86cb6adb25970f2be869b059aa0ab2f
SHA3-384 hash: 30413007b52a287bb7ba212dc55331f756712124fea56970bbc5c11dfa705ca929118934c0a82726e6109482cc32a5b1
SHA1 hash: dc95902daf82c7e227f33bc6607c848f439f1bd5
MD5 hash: 331ad3f4c9d14f480bad2dc82ae4f835
humanhash: early-batman-undress-blue
File name:331ad3f4c9d14f480bad2dc82ae4f835.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:314'880 bytes
First seen:2021-09-25 09:49:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b423274974f58a1d1a63a5242c6dcf99 (12 x RedLineStealer, 5 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep 6144:3qR8nLUIvjkA42/uAulJ/uvH9G9viO26yg/vOpGSBwjt4:6R8n4MwA4uulJWG9vh29GSBay
Threatray 5'948 similar samples on MalwareBazaar
TLSH T14464E101BEA0CEB1C56315304864D2F066BAF861FAB5CD4B7B6DFA7E7E302805269357
File icon (PE):PE icon
dhash icon 327e7c7d727e6e76 (14 x RedLineStealer, 13 x RaccoonStealer, 3 x Stop)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.15:6043

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.15:6043 https://threatfox.abuse.ch/ioc/226451/

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4764467877543936.zip
Verdict:
Malicious activity
Analysis date:
2021-09-22 08:38:03 UTC
Tags:
trojan evasion opendir rat redline loader stealer vidar raccoon
Link:
https://app.any.run/tasks/25968872-e459-4c61-b191-4f58a911195e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191485/
Detection(s):
Win.Packed.Generic-9895572-0
Create hunting rule

Win.Packed.Fragtor-9895678-0
Create hunting rule

Win.Packed.Fragtor-9896090-0
Create hunting rule

Win.Packed.Fragtor-9896091-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4acb2b6-6e09-4e18-a7ff-b87ae096c5d9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/857945
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce6ebaabe86af1f46e1b41caa619bceff86cb6adb25970f2be869b059aa0ab2f/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 22:33:55 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzxlvk7inly7i3q3ihfkmgn4574gznvnwjmxb4v6q2nqlgvavmxq._file
Verdict:
malicious
Similar samples:
1df7d3e67e65403a617b188deb6c172b1aa342591badd64fdd1562fcdde0b097
RedLineStealer
29c5edac63fee5c99aa2307b2b16bfb5123a51d3c9dfef6bfb1342e18a20d641
RedLineStealer
32b9b4bce4d318a9df816799b1ab544126244277da5d9d5395f05e926c238cc0
RedLineStealer
35e01293efaa4e9616a8431691e332f49a939942100f6e6662145df7c4602040
RedLineStealer
4a1eb5d077f5f4134acde43b07cda42bc1f03570bfcdba0289ef2af4212d0bf5
RedLineStealer
71f8415c24040b573b4852f93ba4df25f83f2a57c536ca9b19011b6ceb9c4528
RedLineStealer
b2bbf81e6846b2cb9f72eccbb9e04ad7ade462b048b8cd846db957c38a3c1ff5
RedLineStealer
d997208b59dc3bae89ab68453b58ced90b1fe698d6e7385a6221d1b54698b000
RedLineStealer
dd11a4f5d3e725f42278185fef61b35de16b75c5ea06688579d986b5eda56ce5
RedLineStealer
e56b53500bf0072f709cec8121a19d8d98a42672ff4df8c3079518d68b6c4f3f
RedLineStealer
+ 5'938 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix22.09 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210925-ltz6labad7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:6043
Unpacked files
SH256 hash:
c0e8aabcabafd1a074548f7fba35036fbc3fbded707f05129b68dacf1bed1b53
MD5 hash:
938c312913f8eed3551778a2c249ab99
SHA1 hash:
fcffa418f6d53b0b9956173c5a265befdc22f977
Link:
https://www.unpac.me/results/5b094902-976f-4697-b381-39fcb6df9d88/
SH256 hash:
6a5441300a32212a3141b9f5dcc650da5ef0ddaf0ce19b4829f13b2cf4d01531
MD5 hash:
8f521a88af974f41624c8e33c2d3041e
SHA1 hash:
d3a2c799c4efdf167b7ecb0f37acdcd00220fdd8
Link:
https://www.unpac.me/results/5b094902-976f-4697-b381-39fcb6df9d88/
SH256 hash:
4f14e727f0bb3d817c8774ca1175b55c53287978dd030c98164deec18cd6f773
MD5 hash:
f26366b10edac911139b3166e0badede
SHA1 hash:
505303f56cf612be7491b90d0789d3e873f7f66d
Link:
https://www.unpac.me/results/5b094902-976f-4697-b381-39fcb6df9d88/
SH256 hash:
ce6ebaabe86af1f46e1b41caa619bceff86cb6adb25970f2be869b059aa0ab2f
MD5 hash:
331ad3f4c9d14f480bad2dc82ae4f835
SHA1 hash:
dc95902daf82c7e227f33bc6607c848f439f1bd5
Link:
https://www.unpac.me/results/5b094902-976f-4697-b381-39fcb6df9d88/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce6ebaabe86af1f46e1b41caa619bceff86cb6adb25970f2be869b059aa0ab2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ce6ebaabe86af1f46e1b41caa619bceff86cb6adb25970f2be869b059aa0ab2f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/191485/
  
URLhaus
https://urlhaus.abuse.ch/url/1638129/
  
Delivery method
Distributed via web download

Comments