MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663
SHA3-384 hash: 217ec8826025220b59ab6ca55da109cd6fc12e276affa91548cd29fd122598987cdce07c7504aec496a01c784d7c0061
SHA1 hash: 429691a0e54d4cb93bd0fab48aeac023b3e96e91
MD5 hash: ea1f6e59778bd5e45efb84a58cfaf630
humanhash: vermont-colorado-arizona-dakota
File name:ea1f6e59778bd5e45efb84a58cfaf630.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:341'504 bytes
First seen:2021-01-14 07:02:23 UTC
Last seen:2021-01-14 08:52:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7304fc031c729ed62048b4dd8e72efab (5 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:qBbTZ4Egx8uoAhUmXIBkkyPEfnrCmTV9Utq97:qBbD6RVIBktEfmE9Utw
Threatray 262 similar samples on MalwareBazaar
TLSH 5E74122499018C25EC263BFF4B2167AE5086FE516702071E7D19ACCA277B0EBF95E70D
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://93.115.18.245:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ea1f6e59778bd5e45efb84a58cfaf630.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 07:22:47 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/ec6d5637-68aa-468b-ade2-89abc3a30458

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111957/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Running batch commands
Creating a file
Launching a process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/581159
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339613 Sample: CU1EX4GT4i.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 76 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected RedLine Stealer 2->31 33 Uses ping.exe to sleep 2->33 35 4 other signatures 2->35 7 CU1EX4GT4i.exe 15 3 2->7         started        process3 dnsIp4 21 api.ip.sb 7->21 23 WHOIS.RIPE.NET 193.0.6.135, 43, 49728 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 7->23 25 3 other IPs or domains 7->25 19 C:\Users\user\AppData\...\CU1EX4GT4i.exe.log, ASCII 7->19 dropped 11 cmd.exe 1 7->11         started        file5 process6 dnsIp7 27 127.0.0.1 unknown unknown 11->27 37 Uses ping.exe to sleep 11->37 15 conhost.exe 11->15         started        17 PING.EXE 1 11->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 07:03:22 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z664rnnoss4wb7sqxly7w6hfvhsuikzm3mdlxsbdhlx5giepyzrq._file
Verdict:
malicious
Similar samples:
4eb5508fd5f2e2e2c78f406c2312dd83d7790d3822cb2182fbb86df85afd6777
RedLineStealer
51615786dd61880b418061e7ab53c560ab69e979879a27c2feb9f68a62996b72
RedLineStealer
71aaff890e5c76962463e4f1c102819a6f7469e76139b5b49282f5f596d7ea36
RedLineStealer
7328f90488ba26b3e9d92cf097f69a4ba7ffca152660bf1e126cc5d1c7a1f835
RedLineStealer
a8ae3cb248fb4721b27615276393e430bae895d37794b917f09980bd31c1176c
RedLineStealer
add432dca76d9ae5e7883d7fccba10211cbf0a6b2f694af0edc37a679739f375
RedLineStealer
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
RedLineStealer
c96f35457cc26c36104f053cb445c0835ead6434c3ce57adaae7911b2ab51d5c
RedLineStealer
cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
RedLineStealer
e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62
RedLineStealer
+ 252 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/210114-l4a9844hzs/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks installed software on the system
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663
MD5 hash:
ea1f6e59778bd5e45efb84a58cfaf630
SHA1 hash:
429691a0e54d4cb93bd0fab48aeac023b3e96e91
Link:
https://www.unpac.me/results/df8e07c7-838a-4020-951f-df74fc363440/
SH256 hash:
01969d9acaf7d030dd5655a7e4339bb18ecb5ec416754dbd44d98fb3f2cd098a
MD5 hash:
ce735a6143f0b9d1adcd8ed85472250d
SHA1 hash:
f8019e42fefd0d77707124e3a32b308ecc7b15c7
Link:
https://www.unpac.me/results/df8e07c7-838a-4020-951f-df74fc363440/
SH256 hash:
c720a283d6b9ece8383dd05cd1a1c1e5b951b81f46f7405031a7ca2005251a55
MD5 hash:
0a7609f599dab7641e1ca8e003f5179c
SHA1 hash:
2dc9620333679a73f8e2291ecea25b2f503c03e9
Link:
https://www.unpac.me/results/df8e07c7-838a-4020-951f-df74fc363440/
SH256 hash:
2c6f0b1c49d3f02d59eb5c13cabf3454af245c0a69d99d3c50278c70130c57c6
MD5 hash:
985bb2eefe0c602dec2fb3e271326489
SHA1 hash:
8dd60a81412ce265d4168e29e5011408c369859b
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/df8e07c7-838a-4020-951f-df74fc363440/
Parent samples :
cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663
SH256 hash:
96d75b7d2b500856308fa5cb24520befaf1432de6903bf744608ff434686483b
MD5 hash:
87bed7b122e8acb772a851e5f1422691
SHA1 hash:
bd6094ff201900358e822f1968c854fc99fb88be
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/df8e07c7-838a-4020-951f-df74fc363440/
Parent samples :
cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54
b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/959714/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111957/

Comments