MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e261714c041e882655e0f964c9ad2aa4161035897daf11cf7d9b385aae12f0d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	e261714c041e882655e0f964c9ad2aa4161035897daf11cf7d9b385aae12f0d3
SHA3-384 hash:	33911c9cc3db431d14f0c0706c4f4e9fca901b93826106aca8b94445033d52f2bab5934f69bde0881a59cf99ecabf019
SHA1 hash:	3ce547885e36e9ce661fc9c2043304346a5887ef
MD5 hash:	111434bb965f37437c651367550f6fe4
humanhash:	artist-seven-queen-bulldog
File name:	e261714c041e882655e0f964c9ad2aa4161035897daf1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	454'144 bytes
First seen:	2022-01-26 12:55:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4bcde812b040ca4f517d950272a8fa16 (7 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	12288:k4MwQ2skSESPxPl9VO2mk8rVWiQ5olAJ6qQ8fswQ:TKnOCx99YFzBJQJ1fd
Threatray	4'168 similar samples on MalwareBazaar
TLSH	T11EA4BE10BAA1C035F6B716F405B9937CB62E7AE25B2450CB63D52AEE57356E0DC3230B
File icon (PE):
dhash icon	25ec137831939b91 (3 x RaccoonStealer, 3 x Smoke Loader, 2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.29:20819

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.29:20819	https://threatfox.abuse.ch/ioc/334657/

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e261714c041e882655e0f964c9ad2aa4161035897daf1.exe

Verdict:

Malicious activity

Analysis date:

2022-01-26 12:59:25 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/68b295b4-f490-40b8-98d4-e05dc28fe84c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/223223/

Detection(s):

Win.Dropper.Mikey-9917324-0

Win.Packed.Tofsee-9937387-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5200/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61f144e98581cbffe085fef7/reports/5732c827-7171-45a7-a11c-c01c5435dd8f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f30f9a0-5e21-4baa-8864-85ac622777b4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/927944

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e261714c041e882655e0f964c9ad2aa4161035897daf11cf7d9b385aae12f0d3/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-01-26 12:56:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4jqxctaed2ecmvpa7fsmtljkuqlbanmjpwxrdt35tm4fvlqs6djq._file

Verdict:

malicious

RedLineStealer

2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7

RedLineStealer

2c6fb05b3c1bd42eb6d7c969e8020e76ac9bc91811466e2e84cefe6e001302d0

RedLineStealer

6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3

RedLineStealer

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

RedLineStealer

987651f9f7dbdae2eb283db2328f4daf4970bd487bbaf5e3892cb980305a24f5

RedLineStealer

da551b8982f8cb67c55108b405be9ca5e5deb1f2f716adc85d0260d37e74373a

RedLineStealer

+ 4'158 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220126-p6cslsdaam/

Behaviour

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.29:20819

Unpacked files

SH256 hash:

e202c11d527f5d89f97dded104fd276a484b40ae19ab5af32c0539fcefa0d4f5

MD5 hash:

72b793292146793718feee9519111164

SHA1 hash:

ee14d4b283eb63ad305182c5ebbe06bffbf77b21

Link:

https://www.unpac.me/results/24ad8985-5168-4b7b-9478-4624b63d1cae/

SH256 hash:

859ebd7a7e8f8f3f45d94416074fd24b20933c8537f5ebc5e451f89096c41f9e

MD5 hash:

b0bde6717c5ca23c517fc392bd550af5

SHA1 hash:

8da77b12caabd1ad230d2ede9413e52e616e975b

Link:

https://www.unpac.me/results/24ad8985-5168-4b7b-9478-4624b63d1cae/

SH256 hash:

bd1603b229dd4f2ebae6d60528b5ddfd8c153ee45fc6f24de225150728cfffe4

MD5 hash:

c7da4857025812b8ae4ef9e241cc0f00

SHA1 hash:

6e5e378f1eaf5677aa4d096a43cc84c08b368202

Link:

https://www.unpac.me/results/24ad8985-5168-4b7b-9478-4624b63d1cae/

SH256 hash:

e261714c041e882655e0f964c9ad2aa4161035897daf11cf7d9b385aae12f0d3

MD5 hash:

111434bb965f37437c651367550f6fe4

SHA1 hash:

3ce547885e36e9ce661fc9c2043304346a5887ef

Link:

https://www.unpac.me/results/24ad8985-5168-4b7b-9478-4624b63d1cae/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e261714c041e882655e0f964c9ad2aa4161035897daf11cf7d9b385aae12f0d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/223223/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample