MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca
SHA3-384 hash:	0cfaa44a00c2155aca22526901ca0960ea0313b3e42f51020cfb88a2694b38b16ee87b946f9c712298db519bbaf26fd6
SHA1 hash:	bb4df7f42cbdce751f405cf0be24062416cd432a
MD5 hash:	43af94351e59fb81519b150dfe0f7fd8
humanhash:	bulldog-friend-twenty-michigan
File name:	43af94351e59fb81519b150dfe0f7fd8.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	401'920 bytes
First seen:	2023-02-05 07:35:10 UTC
Last seen:	2023-02-05 09:37:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9d027e1822da283963b2da86a5b0354e (17 x RedLineStealer, 8 x Smoke Loader)
ssdeep	6144:OMajDxoyL2vvBfLKSuBSUK45kurbXQBfWw3iVzlNCcm:OMajDxoyyv4ScJqwAB33iVGcm
Threatray	14'368 similar samples on MalwareBazaar
TLSH	T17784F1323A90C072C4A915705C61DA65BBBFF8305531CD5B7BA81BAA5F703C1A37A39B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	916a6e6a6a6a6a70 (15 x RedLineStealer, 12 x Smoke Loader, 5 x Amadey)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
62.204.41.170:4172

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

43af94351e59fb81519b150dfe0f7fd8.exe

Verdict:

Malicious activity

Analysis date:

2023-02-05 07:36:11 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/c2b10c8d-7fae-4c69-861e-db8ef81347ef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/360359/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65342024.1512.6848.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/63df5c631c9cbf7d6255ee39/reports/b51075b3-b987-4fa0-9ac6-4052fd6b9b44/overview

Verdict:

Malicious

Labled as:

Ransom.51A80467

Link:

https://www.hybrid-analysis.com/sample/e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a74bec51-eff6-4782-8574-aee849fc2381

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1165950

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2023-02-05 03:17:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4irghpgdxlm2j45qkkkgdo6s3urc5gxmoo5tmz4pake55ig54tfa._file

Verdict:

malicious

RedLineStealer

4250602036e16dedef56f32955aa4611628e3a87fa53bf2e23e30ddd8b4bd8fd

RedLineStealer

46d0c478b2b6561e60495603528ca93b5da7db8d28325a973587294d46531a84

RedLineStealer

853d470cb6c7a48e716a178ab202715abbd3972e04f4a580c3b335624c6e4062

RedLineStealer

9345c508148e73ed01deb38869d1fd47a3b1050d93977ea54bdccfed508e7b4f

RedLineStealer

98b338db8e45e180cdc512c6dc83128354d3a6f64f5da8d538963dcc9c6a2342

RedLineStealer

a2224d02026b17afced0929449070dc642ca5682b7993dd892aa56ff1dec45c4

RedLineStealer

af289afd122890f39a8bebe48bc8e831f646d34bf2cf05f81510bd7c9bd5121f

RedLineStealer

e3416fbffe2457813573c9083b27d317ae0e329c92322ca2241b1a943b215ed1

RedLineStealer

f485cfb394249f052aa5514b1c4b75981f80f5e366d18bcf05eb1ac38bdf9601

RedLineStealer

+ 14'358 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:zaur discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230205-je8s3scb6v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

62.204.41.170:4172

Unpacked files

SH256 hash:

bd306f1eb9573ca90c359ba059a7ee3e4f2fa81b94886544efbc70fab6b0c529

MD5 hash:

cf661fb505ff59ab4942e70962ff54ce

SHA1 hash:

8eea31a315019e342388a838ab256c4da990b5dd

Detections:

redline

Link:

https://www.unpac.me/results/1dde9474-7b3c-4f23-95ce-f81de189e25c/

Parent samples :

e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca
d52ccdf8ff0f75d337167b63b736c3a908c48caf6bbd39a2434e0baac41eef6f
7becab35b4300ad3c0be8e7dc12f311b140cb8a7b5338e0102fcf6f71c97157d
15019e74fe93e132d60d4f7fa7f2b23967c6bf0675936c0874117663067f8874
1498389b39bb5db52d583bc40f9e021934d53bbf8b363809ca0d4e58f9ba30ef
fcc8a1cd9b32433a8735fae44718bc36b2ea00b96df212c9d63186031d7af10d
ebd46441b3e3a1c1e64d6b0952dacb9bcdd896bb95c8a62bc3a4028a58b1573c
0e36e23f795621dce7b398b59cbb4db16683da88e133210f1bb17879b1dc94a6

SH256 hash:

2a62ac253b6cd959b7131d37268d99bc515a09343e985cebda911d403bbf224e

MD5 hash:

314b2f270faf2d3af32447d1a19e873e

SHA1 hash:

88228152e3351a0cb3906e610fe05787ce814d7c

Detections:

redline

Link:

https://www.unpac.me/results/1dde9474-7b3c-4f23-95ce-f81de189e25c/

Parent samples :

e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca
103f1c25aaac16c39aca36ca629b1ab3b1226170753074ae924f27c0326aff1b
d52ccdf8ff0f75d337167b63b736c3a908c48caf6bbd39a2434e0baac41eef6f
7becab35b4300ad3c0be8e7dc12f311b140cb8a7b5338e0102fcf6f71c97157d
15019e74fe93e132d60d4f7fa7f2b23967c6bf0675936c0874117663067f8874
1498389b39bb5db52d583bc40f9e021934d53bbf8b363809ca0d4e58f9ba30ef
fcc8a1cd9b32433a8735fae44718bc36b2ea00b96df212c9d63186031d7af10d
ebd46441b3e3a1c1e64d6b0952dacb9bcdd896bb95c8a62bc3a4028a58b1573c
caf51bbc26408a0d9e3b24595b0318e128b9bc98ce713fa936ffbaadea6a33ad
0e36e23f795621dce7b398b59cbb4db16683da88e133210f1bb17879b1dc94a6

SH256 hash:

7e39c951b6d469fa7e68bdcae3bfd9a98ad100a2b2db55dae88e71640823f65e

MD5 hash:

685932fb80294b302dd6b0910f692421

SHA1 hash:

02193d6758faa9808ef2e5b5e8d96665906d77ba

Link:

https://www.unpac.me/results/1dde9474-7b3c-4f23-95ce-f81de189e25c/

SH256 hash:

e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca

MD5 hash:

43af94351e59fb81519b150dfe0f7fd8

SHA1 hash:

bb4df7f42cbdce751f405cf0be24062416cd432a

Link:

https://www.unpac.me/results/1dde9474-7b3c-4f23-95ce-f81de189e25c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e22263bcc3ba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe e22263bcc3bad9a4f3b0529461bbd2dd222e9aec73bb36678f0289dea0dde4ca

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2529227/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2528642/

Cape

https://www.capesandbox.com/analysis/360359/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample