MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SHA3-384 hash:	b2f4348aff584dd57c790f1aed33e7ee2fb8869391a6c8f303a22d5f67052b6361255630dae146649f769f38ed9c9cbd
SHA1 hash:	68ef07fceac0a4363c17a9d517bad36d2667082f
MD5 hash:	5f2e3a1eaf13eba62d9160db940348ad
humanhash:	wolfram-london-stairway-mountain
File name:	5f2e3a1eaf13eba62d9160db940348ad.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	377'344 bytes
First seen:	2023-07-24 12:50:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	266fc9b95dac31574046704a6db5e3eb (3 x RedLineStealer)
ssdeep	6144:xbLXomMHHQRBixvYmDJIebC3xtqeimntLT11:BTomMHeUvYiIeVei0T
TLSH	T1E784290792B13D57E917DB728E1EC3E8761EF2608F5D7BA6D2199A2B04B10B2D273710
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0000001000040000 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
149.202.8.114:26642

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

5f2e3a1eaf13eba62d9160db940348ad.exe

Verdict:

Malicious activity

Analysis date:

2023-07-24 12:51:17 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/bad98ffc-7e43-439c-9e99-12f09ebbb957

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/430733/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ff6f3d5b-b918-4a9e-8e06-57f9cf7e147f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1278307

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redline

Link:

https://mwdb.cert.pl/sample/e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-07-24 12:51:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4hmgjhwulu2ip3lv6o2w7qdomosasfrmkkhk6n4l756css36pp5q._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230724-p3g8xsdf5v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

149.202.8.114:26642

Unpacked files

SH256 hash:

1161f2aaede4428d7c5ad55c68d14531c7459a2a946e9b946553027db4087b9e

MD5 hash:

5b9e910f14c9664c591d075ccfdda0c3

SHA1 hash:

dbbbe03ec1f8b19d8ae3c39912c7cc07d35c0fe3

Detections:

redline

Link:

https://www.unpac.me/results/1492353a-7936-451c-8dee-2512da650035/

Parent samples :

76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb

SH256 hash:

cbb2b3d88f8407ad3533d49d83ee97450a946073cbf9eface7bf8a0aba6a2977

MD5 hash:

1170152a8e1dc3e4b9c38d8146362e81

SHA1 hash:

d1a14beb19d4242e9237c59d5b5d85a3c2c70aa1

Detections:

redline

Link:

https://www.unpac.me/results/1492353a-7936-451c-8dee-2512da650035/

Parent samples :

SH256 hash:

ae08b6ce7cdd04919c987c48a8e1fd11316e15f8071c063e8060251ba49e092e

MD5 hash:

b9ac7ada76639bf533b86fc0ae86597c

SHA1 hash:

74ce4a5df518a85c44d5d51fd3213fd6da36940d

Link:

https://www.unpac.me/results/1492353a-7936-451c-8dee-2512da650035/

SH256 hash:

ef904719bce27fd4ef1e3221cb658a1ba93f7fafccc16d6e0ffb00a1bfb399e9

MD5 hash:

3c81ebdb4f2dc1f98485343dfeaedce5

SHA1 hash:

0ce97f6e8d3cdac8b68329d57b4d16873d6ed167

Link:

https://www.unpac.me/results/1492353a-7936-451c-8dee-2512da650035/

SH256 hash:

e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb

MD5 hash:

5f2e3a1eaf13eba62d9160db940348ad

SHA1 hash:

68ef07fceac0a4363c17a9d517bad36d2667082f

Link:

https://www.unpac.me/results/1492353a-7936-451c-8dee-2512da650035/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e1d8649ed45d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/