MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1d0d84da1aa8f1f7292960498b7b685d568d6392e6babd357356800f61ae61d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments 1

SHA256 hash:	e1d0d84da1aa8f1f7292960498b7b685d568d6392e6babd357356800f61ae61d
SHA3-384 hash:	0a423809a8ff1f8b698974519fcf47100db4e9cbdcaeba16126b6773b1abc803eda09927c97c596d83a469073f8552f8
SHA1 hash:	dd5f136429bf94f4e8c72e977881324163a4086b
MD5 hash:	ebef6f629d4dd92f8c4714b4f9693642
humanhash:	enemy-jupiter-kansas-butter
File name:	ebef6f629d4dd92f8c4714b4f9693642
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	515'072 bytes
First seen:	2022-11-20 08:37:21 UTC
Last seen:	2023-08-24 16:40:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	12288:qh1Lk70Tnvjc3bVFmbubJhdwe10ZC8CnVR6apaw8eLsmHE:Ok70TrcrTOu3z10aVR6apaw8mk
Threatray	4'571 similar samples on MalwareBazaar
TLSH	T104B4022135D0D173C576113144E6CB7A9D69B4224B7AA2C7BF8E2BBA6F113D0E33A1C9
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

487

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

ebef6f629d4dd92f8c4714b4f9693642

Verdict:

Malicious activity

Analysis date:

2022-11-20 08:38:32 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/1dba0df3-f235-412c-b630-df735efd45f3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/336353/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6379e76dbf871f68ac7da64a/reports/1366bd45-65f6-48cf-8b93-03b11a066441/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db1be491-adcc-418d-8378-fd79c540ff19

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1117527

Signature

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e1d0d84da1aa8f1f7292960498b7b685d568d6392e6babd357356800f61ae61d/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-20 08:38:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4hinqtnbvkhr64ussycjrn5wqxkwrvrzfzv2xu2xgvuab5q24yoq._file

Verdict:

malicious

RedLineStealer

2201eda7898979f08187156740f0e2b9012da6d51f0905c3122b95c39bade49f

RedLineStealer

23b137ce3bf552461beac7baf3a449a620010feac5cf69a1864e40b5efa04c2d

RedLineStealer

5cc1defb3561d0fd290639bc8efd9b4dbe608f1d761fb62d21f170ad0101c8ac

RedLineStealer

8c88e83a7d8ecdc337997e822c9ed368d6fe3bff0ff4e3b4b1b55a0cabeb09f1

RedLineStealer

c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9

RedLineStealer

d5234d480c203df8e7f07086c0fb4c39a6a11909dfe2e5e33b98cb382d2e1964

RedLineStealer

fa5ac27700f443ba8bc0509f2ce8c1c0be408e3dbca55a07de27f7d1bcb5de16

RedLineStealer

+ 4'561 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/221120-kjp27sed55/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4ac00ff8-ed38-41b9-8fd0-5445f0fb6937

Unpacked files

SH256 hash:

be92f2b9c8a972b9ab57af03492208103528de96d83b0b7e161f2a6bc7995e2d

MD5 hash:

4eb5090d9b387d13a15a7bee94838da6

SHA1 hash:

cb9efd14a9fa3ec4b11d29ccd90ac36e365e594b

Link:

https://www.unpac.me/results/c80bd9f0-e29d-4b0f-a63f-2ca528034e07/

SH256 hash:

680887f76a85622b167a658870e5be611d1dc1ca7ba140b0405564ce8f716647

MD5 hash:

9c4080d927576b0bd8a63bed0e039c23

SHA1 hash:

848bd476a02fc4c0061a3b3d688ec5b8bd1d5af8

Link:

https://www.unpac.me/results/c80bd9f0-e29d-4b0f-a63f-2ca528034e07/

SH256 hash:

588394e2245d81128c9949b5d510ee8c3016c19089f2ee4ced292cd9886594a2

MD5 hash:

1a6aba1dd862152d19def1c8d783fc2d

SHA1 hash:

4d8282a1093edbeb1c66fba0f43aca3402b7199a

Link:

https://www.unpac.me/results/c80bd9f0-e29d-4b0f-a63f-2ca528034e07/

SH256 hash:

41909314041e14dd02dcb8b801bfb8c3366858d60c7ed3a8641eb4f3a225a0dc

MD5 hash:

f97f401f447b1f66612eb719ec366bbe

SHA1 hash:

155cdaaf42c739588aa1fe718c3cf24494084de0

Link:

https://www.unpac.me/results/c80bd9f0-e29d-4b0f-a63f-2ca528034e07/

SH256 hash:

e1d0d84da1aa8f1f7292960498b7b685d568d6392e6babd357356800f61ae61d

MD5 hash:

ebef6f629d4dd92f8c4714b4f9693642

SHA1 hash:

dd5f136429bf94f4e8c72e977881324163a4086b

Link:

https://www.unpac.me/results/c80bd9f0-e29d-4b0f-a63f-2ca528034e07/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e1d0d84da1aa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.