MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011
SHA3-384 hash: 9f98765213e703a62449ba71548724542f214f7ef5706f50154080e553acd1f72ef56ebf6e23ccf5b0e58af8a1f002b7
SHA1 hash: 571908a143295bba4d75b57e953f4f18e3bc74cd
MD5 hash: c26cc90827555cd37a7a5c1088c0261a
humanhash: jig-yellow-video-montana
File name:SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:631'808 bytes
First seen:2021-02-27 14:15:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:poFE9Yot8fxKr5ACjwOjiVELiRRKD5O46ZW3ql8/:WWxN8OGVEOj90t/
Threatray 92 similar samples on MalwareBazaar
TLSH A8D4BE0071BE8B56C9FC4BF90691915423F5667E729EE31C0EC631EFAA22B424B51F23
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315
Verdict:
Malicious activity
Analysis date:
2021-02-27 14:18:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa352458-ee2e-4a1d-87eb-3a8eb5c85c08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119593/
Detection(s):
SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/620414
Signature
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 22:38:29 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
002169163197e9a6fbe52c9d5cad8e901e52613d2ff4efbe2ccac367cea51af9
RedLineStealer
117a47316ab68fefcd1ab9c8c00a763852cb569fa5a487fe8dd4efdf8702f3aa
RedLineStealer
22a6bcf4a037a4ce39127fdb0cb4f8995f647e26318d857939978679342e9494
RedLineStealer
23d7ce502485cf7235a79bfa2b6fb766aa824fc49403d0120b8f719cc03aed06
RedLineStealer
75ae1751515b48d24859c91fd08bd0595d84decb06566c1d3eec6363b0be9d82
RedLineStealer
e4439d8b95f2011f963c521c78157dff93a3985d37854bbc37992a06523f0d30
RedLineStealer
e575af9a4b8de92d24859894514462f2c9ab0a5cb16cf1798a55c923613cd13c
RedLineStealer
e9a66c730fa980242a636338edc5351b82fc20ac3425b6bc1f3e4ec5ed8a5fe2
RedLineStealer
ed07c985a733c95aefb4fa4c1fca696471260dd5c72f71f21297a94dd23c159d
RedLineStealer
ee2d4fc12ea7c99a8e94f0222cdeb5f10c36c1ca797bd9eb0dc80e8d8efed315
RedLineStealer
+ 82 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210227-qcspvv3a92/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Unpacked files
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/9628a858-678b-4c84-8744-dc4c04173d98/
SH256 hash:
fada6b4888d87dd415c58e247334c2b52576940d822cb5ff91fdd5b4c534dae3
MD5 hash:
31becc04418d7e7110adc35f45dcb223
SHA1 hash:
1d221eeda680fdd4e2d18d6e0a9f24e42061c4f5
Link:
https://www.unpac.me/results/9628a858-678b-4c84-8744-dc4c04173d98/
SH256 hash:
7876a413fb23ea1062ae650a23bddb46b6bb2c0bed318bbf4572df92cb09eb13
MD5 hash:
e1c6793697c736b24427c1ecfc1a01e1
SHA1 hash:
a6f7f09faa3bdbf1393a93b357eccae979c08161
Link:
https://www.unpac.me/results/9628a858-678b-4c84-8744-dc4c04173d98/
SH256 hash:
e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011
MD5 hash:
c26cc90827555cd37a7a5c1088c0261a
SHA1 hash:
571908a143295bba4d75b57e953f4f18e3bc74cd
Link:
https://www.unpac.me/results/9628a858-678b-4c84-8744-dc4c04173d98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1035587/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/119593/

Comments