MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0e082892a55716593277a04dce73897f6b26ae30005b7b075940adcbeea9f92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0e082892a55716593277a04dce73897f6b26ae30005b7b075940adcbeea9f92
SHA3-384 hash: 6da6b845001e761fc2bf422f9634acc27319494538e4748424f8a7d64c8eba57f17226ac9310fdad734d87c5f214cb47
SHA1 hash: bd0fe1c5319309720782726f076a827b5ab0cfcd
MD5 hash: aaba70cf8248cb4b25a236136f68a3e8
humanhash: hydrogen-hot-south-jupiter
File name:aaba70cf8248cb4b25a236136f68a3e8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:417'792 bytes
First seen:2022-01-19 08:02:16 UTC
Last seen:2022-01-19 10:02:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0d9dff7965da5dfdec50f1a4a9983dff (1 x Tofsee, 1 x RedLineStealer)
ssdeep 6144:HIvxIco1b8RSaMemVEPIUP21bvv7rjGd3lAd+I:HIp7MbxafPoLJEI
Threatray 4'270 similar samples on MalwareBazaar
TLSH T17F94F12135C0C432C48291315916CFA26ABDFC345A66DA4B73A83B7E7EF13D0A67625F
File icon (PE):PE icon
dhash icon fcfcb4b4b4b4d9c1 (6 x RedLineStealer, 3 x Smoke Loader, 3 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.10:39759

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.10:39759 https://threatfox.abuse.ch/ioc/299070/

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220514/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.12125.4438.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4689/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e7c5bbd32385db63071727/reports/f399df7e-e525-4018-ba4c-829362957675/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e40088b7-f57a-4f52-970c-d67ec6839090
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923290
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0e082892a55716593277a04dce73897f6b26ae30005b7b075940adcbeea9f92/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 08:07:56 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dqifcjkkvywlezhpicnzzzys73le2xdaac3pmdvsqfnzpxkt6ja._file
Verdict:
malicious
Similar samples:
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
RedLineStealer
61945cb0d37bfb32d2f818e6b118d9968213903e73570769eda83a4405c5d783
RedLineStealer
6c90a4a65b4d10539243734b9783c414e8a95501e1272e1ef1de6b0e284d5899
RedLineStealer
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
RedLineStealer
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
RedLineStealer
a51ddfebbff6f4599a904655a5bac8e51234c4f7e9c3d2faa4cbc24f1f94ec3c
RedLineStealer
a78ca974527199f93fa840fb13ccfc1808fb5d8288fc717e9136f3aff43efeee
RedLineStealer
+ 4'260 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220119-jxrbragbfl/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
8e0b12340eb0e458e3ebcb8108f31b6c89d3f15ad8c64342101c19f8b6f20540
MD5 hash:
864e6a37eae03e58640045958f2ab0bd
SHA1 hash:
493c13e0320508a5310f94b05781f477fa2a6eb2
Link:
https://www.unpac.me/results/39deff1d-0a9b-4148-adc6-71b1b0f81e6d/
SH256 hash:
d9ab4252d6f436ae3dc194706ea3b0c10e7d4769e03bf1b6cba511978ed54f00
MD5 hash:
d7e8c78d59106be59628de95abc8b333
SHA1 hash:
4299ec816112620d84863871bcb05ba4497e361f
Link:
https://www.unpac.me/results/39deff1d-0a9b-4148-adc6-71b1b0f81e6d/
SH256 hash:
a22768933b793c6b748377c1e504162556640e03a4fb5f019f9f9d78ad17213b
MD5 hash:
a5c9f2963321f324d589ca200123ae7d
SHA1 hash:
13c59f6d15a749018962cd7f8c56eeffeca18815
Link:
https://www.unpac.me/results/39deff1d-0a9b-4148-adc6-71b1b0f81e6d/
SH256 hash:
e0e082892a55716593277a04dce73897f6b26ae30005b7b075940adcbeea9f92
MD5 hash:
aaba70cf8248cb4b25a236136f68a3e8
SHA1 hash:
bd0fe1c5319309720782726f076a827b5ab0cfcd
Link:
https://www.unpac.me/results/39deff1d-0a9b-4148-adc6-71b1b0f81e6d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e0e082892a55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0e082892a55716593277a04dce73897f6b26ae30005b7b075940adcbeea9f92

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e0e082892a55716593277a04dce73897f6b26ae30005b7b075940adcbeea9f92

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/220514/
  
URLhaus
https://urlhaus.abuse.ch/url/1979527/
  
Delivery method
Distributed via web download

Comments