MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1e0ae32f561d6a8c1fc3d91a6b882585df5e501e7a37442f9e40444b4859e9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1e0ae32f561d6a8c1fc3d91a6b882585df5e501e7a37442f9e40444b4859e9a
SHA3-384 hash: fd14c9b3b9d230a1316a70d2b6eca2d8b016c9bcbdef30e5a8e504ebc7ee8ebcefdd005a58bf5a19e5cb4866705ff677
SHA1 hash: 4e7cf1acf07b4321b9efc2e2985201b1dcd258d3
MD5 hash: cb83bd92ad71c54fc59ac4d38fc82b7a
humanhash: lemon-golf-emma-item
File name:cb83bd92ad71c54fc59ac4d38fc82b7a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:645'536 bytes
First seen:2021-05-29 12:10:08 UTC
Last seen:2021-05-29 12:47:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:vQd5iy5LvRTOsoME5rY4c30XbJHUESGwz:I6KLt3DC047JHUTzz
Threatray 432 similar samples on MalwareBazaar
TLSH 30D48C043A5AD2D1FB250BB464AFA0D8C7727D17A9F0D9ED2D4273EE1BF93804586B42
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
46.166.128.237:59941

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.166.128.237:59941 https://threatfox.abuse.ch/ioc/66769/

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb83bd92ad71c54fc59ac4d38fc82b7a.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-29 12:15:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/340ae8e3-9620-447d-b57d-51078eb15a37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163160/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.774.9669.23474.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/794229
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1e0ae32f561d6a8c1fc3d91a6b882585df5e501e7a37442f9e40444b4859e9a/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-29 03:40:31 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hqk4mxvmhlkrqp4hwi2noeclbo7lzib46rxiqxz4qcejneft2na._file
Verdict:
malicious
Similar samples:
177ca17e687ece45d924c37610fdc99f088cbf7c85bce7fdae6ccf9e9d955b41
RedLineStealer
2dd166e5968ce8fc408b6ee13c4508fd4bbef1c94e62d450b9100d68294a8ce4
RedLineStealer
301524c3f959d2d6db9dffdf267ab16a706d3286c0b912f7dda5eb42b6d89996
RedLineStealer
493a50f6b2ac42df9552c7b9ce8b56e776e05fc0ed6d80c5b3a5d60909626e81
RedLineStealer
5ff5ff8c1ad2973809fa18ce1454a731f41ce5d5ec3329dfe004d13a52ca6fb5
RedLineStealer
9521b61a783dfe09bdebb6f5ab1c138b5db8fba276aeacc17370c70ed9513ca8
RedLineStealer
98ede977d95e3ce373b2d6613e7128c138d959f94060f47b63b6d087811aba60
RedLineStealer
da5665588c0b3c7678eb3586ca6fcce9d2c181b02e1ffd712e99aa5892fe8748
RedLineStealer
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
RedLineStealer
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
RedLineStealer
+ 422 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@zhigalsz infostealer
Link:
https://tria.ge/reports/210529-a2694ddg6n/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Contains code to disable Windows Defender
RedLine
RedLine Payload
Malware Config
C2 Extraction:
46.166.128.237:59941
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/e1e0ae32f561d6a8c1fc3d91a6b882585df5e501e7a37442f9e40444b4859e9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e1e0ae32f561d6a8c1fc3d91a6b882585df5e501e7a37442f9e40444b4859e9a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/163160/
  
URLhaus
https://urlhaus.abuse.ch/url/1288379/
  
Delivery method
Distributed via web download

Comments