MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0652703b879a1a18ed2832c469788ae140ad8a03cc910591e4c2fa8dbad3223. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	e0652703b879a1a18ed2832c469788ae140ad8a03cc910591e4c2fa8dbad3223
SHA3-384 hash:	be157fff209eea9f30477757f87a1e88a418cfb8ab021df0897d06860d1699791a205ab741465d089af308e9e90e7f89
SHA1 hash:	26ffeb580d499d3b12b826650858bc2a6c3b3e4c
MD5 hash:	d8b2c3c15f6022aa397b9d9774595024
humanhash:	hydrogen-alpha-ten-potato
File name:	e0652703b879a1a18ed2832c469788ae140ad8a03cc91.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'111'872 bytes
First seen:	2022-03-16 22:16:09 UTC
Last seen:	2022-03-16 23:42:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	98304:vvZoERtJreNHnEF41F0vJRPfEvBfedekXvsQ1yX:3jRtJKNkuzKEfmrUGE
Threatray	1'701 similar samples on MalwareBazaar
TLSH	T153163373BB4AE258DF9886B949BDD1B335C368846D706D00836F4CB7621AC76743639C
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
188.127.231.79:46066

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
188.127.231.79:46066	https://threatfox.abuse.ch/ioc/395873/

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

e0652703b879a1a18ed2832c469788ae140ad8a03cc91.exe

Verdict:

Malicious activity

Analysis date:

2022-03-16 23:11:39 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/3450470f-2597-4489-99e5-d13bc2559eab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/251662/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/623261e40cd58dbd92a96808/reports/83542105-9c17-4368-9ec2-85c260521256/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/81b31eb6-a7a8-4adb-bbda-17f0ae062334

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/958382

Signature

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e0652703b879a1a18ed2832c469788ae140ad8a03cc910591e4c2fa8dbad3223/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-03-16 19:15:21 UTC

File Type:

PE (Exe)

AV detection:

25 of 42 (59.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4bssoa5ypgq2ddwsqmwenf4ivykavwfahterawi6jqx2rw5ngirq._file

Verdict:

malicious

RedLineStealer

35d04737f87fbd1cb97d05dda7d795b419ddc767131034a0d00193b8f68f3330

RedLineStealer

66c2d16720a324ba29f89aeabfeac44cceb594fae97684f6b903bec8b82fbf49

RedLineStealer

6816dd50b149090375a632d46dc79d88d8c1c7ec28a7495bdf15e7480748eda1

RedLineStealer

784b57a228a2f48425e7bbb078d32b1fed781703235408f0f5596a5a9fa85de1

RedLineStealer

a196c6f0e2c8355b5dc3ff846ddd055add175e048c4f58c1270424f8fe7b5f3c

RedLineStealer

a6c03e7b69ffe6152468171e8669db1915efc0f225449dd2278f0c7e40e15ee2

RedLineStealer

c937ab727bd34bd8c83e2ea01054cd60363ca35bd99fccf46b1f1f1f119715db

RedLineStealer

d212d1c7a3ed6723bebf3b3214a0b738bbc5cb2fd3c7379190c819285a67f47d

RedLineStealer

+ 1'691 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220316-17cpsafccr/

Behaviour

Program crash

Unpacked files

SH256 hash:

8d243edea681802a20abc2b0735c703b0e09d3f6f236b45be8172d9933d3320a

MD5 hash:

47fabd741c6c1c05cf36c3db3c92931b

SHA1 hash:

dfc4dad5268f576d16704faa72814b5dd28a9b1c

Link:

https://www.unpac.me/results/e5d029b2-ffcc-49e7-96c7-65ba32c230db/

SH256 hash:

bd7c23420f43a725d7f6b0b9935bd506a7e4ef26fcaabfb32fb6b7250863bebd

MD5 hash:

eb29fd0ada8cb50ebd96ac5b0acd2bc5

SHA1 hash:

ad02f069386ea064893a5993199b4007b9929473

Link:

https://www.unpac.me/results/e5d029b2-ffcc-49e7-96c7-65ba32c230db/

SH256 hash:

e0652703b879a1a18ed2832c469788ae140ad8a03cc910591e4c2fa8dbad3223

MD5 hash:

d8b2c3c15f6022aa397b9d9774595024

SHA1 hash:

26ffeb580d499d3b12b826650858bc2a6c3b3e4c

Link:

https://www.unpac.me/results/e5d029b2-ffcc-49e7-96c7-65ba32c230db/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e0652703b879/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e0652703b879a1a18ed2832c469788ae140ad8a03cc910591e4c2fa8dbad3223

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/251662/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample