MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e113281c669c7aa1e5a28d44ee632a1e12de4cb2ee63389c298d0ff12c6fcb87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e113281c669c7aa1e5a28d44ee632a1e12de4cb2ee63389c298d0ff12c6fcb87
SHA3-384 hash: c5d89c3de07a3adaaaea54a2ea74f7756c19fac096b8d3e410cc03955468a30ba1b0046e8cedabd98e70111c0178f455
SHA1 hash: 58b36ee17c53e58bd136e2b63e51d25a00dae890
MD5 hash: d55045e55d930facae1dda5cb8ef3cc1
humanhash: uniform-earth-bulldog-golf
File name:SecuriteInfo.com.Win32.CrypterX-gen.27275.31365
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:316'176 bytes
First seen:2023-05-20 06:28:28 UTC
Last seen:2023-05-21 08:40:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c51c419e64d37d41f3d25e7f43aa37da (4 x RedLineStealer)
ssdeep 6144:UICKgIRxhzqT3dlvFTgRJyKFvTSL4Tv7SNl0EiaivBzNHkI:wIRxQT3dldUxZTtT6bQD3
Threatray 2'919 similar samples on MalwareBazaar
TLSH T15D648D11754691BEF8AE067895B882B51D6AF4350F5FC3EBABCD02990FD05E2A630337
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
247
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.CrypterX-gen.27275.31365
Verdict:
Malicious activity
Analysis date:
2023-05-20 06:29:02 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/49dac790-e009-4ae9-a1f5-7d93f9d68ee4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.27275.31365.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/85900/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/646868af8f4dae9ba92438fa/reports/8d361a51-ca16-499b-af97-9f1cdb990635/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e113281c669c7aa1e5a28d44ee632a1e12de4cb2ee63389c298d0ff12c6fcb87
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e041cfae-fb1e-40fd-adaa-8a5d9bb60cf8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237857
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e113281c669c7aa1e5a28d44ee632a1e12de4cb2ee63389c298d0ff12c6fcb87/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-20 06:29:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ejsqhdgtr5kdzncrvco4yzkdyjn4tfs5zrtrhbjruh7cldpzodq._file
Verdict:
malicious
Similar samples:
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e
RedLineStealer
20bd893c6533e002d8b51e41fd1f8b6717e34a10e0691fc41254807b78f77a75
RedLineStealer
34fd6c819f0ff0375583329f712d9ac94a78ca8314e612d4bd303ea8b918d4f0
RedLineStealer
5df17f53387714d342d63a5946626f3e52be8438ee0701b44c42506f7d003367
RedLineStealer
5e61ca396611b20ac59f4701d471fce71202fa690f5481c5f71d0f1b00336406
RedLineStealer
5eca819baed9b9624bfcf5b048699cbde7d8a9d9a0f28a99fcad341f775972f0
RedLineStealer
90a61538166854064428335c2b2beecf44fca5979e8fee4db712fc0b09f4729a
RedLineStealer
ca02d7d9ded6d35965b5eae79da178fbb884c9002ae33b342a689ee8842990dc
RedLineStealer
cf755affe24a7e970b02ffeceddce25f80f94c4b4cc547c8b5cd03493bb0e557
RedLineStealer
d3627bdaf1d8b36baff815b06e6155bb5decf04f20fa7300c0faebca4aa930e1
RedLineStealer
+ 2'909 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:tex infostealer spyware
Link:
https://tria.ge/reports/230520-g8wz9sdf4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
176.124.219.192:14487
Unpacked files
SH256 hash:
7df09ccda9b92bb20cbe2cdd9516b83a1ade8b12f9d22cca06b8fd72253a0dee
MD5 hash:
ea76d9341caaf4fbe2cdb1d9be63e133
SHA1 hash:
8b9c31ad8b1d08cb617aa0f7c430a394b4aeafb2
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3182baa7-20b3-4fe7-851d-26767fbda797/
Parent samples :
5954c5d07366206ec5ebb351f47197bb31cf4400a82a25beae6fa9dc6aa2af72
e113281c669c7aa1e5a28d44ee632a1e12de4cb2ee63389c298d0ff12c6fcb87
SH256 hash:
e113281c669c7aa1e5a28d44ee632a1e12de4cb2ee63389c298d0ff12c6fcb87
MD5 hash:
d55045e55d930facae1dda5cb8ef3cc1
SHA1 hash:
58b36ee17c53e58bd136e2b63e51d25a00dae890
Link:
https://www.unpac.me/results/3182baa7-20b3-4fe7-851d-26767fbda797/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e113281c669c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e113281c669c7aa1e5a28d44ee632a1e12de4cb2ee63389c298d0ff12c6fcb87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e113281c669c7aa1e5a28d44ee632a1e12de4cb2ee63389c298d0ff12c6fcb87

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2637368/
  
Delivery method
Distributed via web download

Comments