MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277
SHA3-384 hash: 199f3877068e9d96b93d47b67b66e27b6c8d895f0d441294af1b1b9ffc832aa14c431d3bdbb99d0355f19bc40a9bc28d
SHA1 hash: 2ce4eecded3dc1249523c53852c57aad5d521145
MD5 hash: 1fb26f11ae2a9bd3e8550609aded48eb
humanhash: crazy-thirteen-leopard-hawaii
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:249'856 bytes
First seen:2023-07-14 13:23:39 UTC
Last seen:2023-07-14 14:51:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 125265b176c51973ffd1d3a458a6a6f9 (3 x RedLineStealer, 1 x Amadey)
ssdeep 6144:DLYeezVDlsZUdqppCTvJ8yA55FGamNQf0Xw05Q:DNGVDv8CFoqa0A6
Threatray 129 similar samples on MalwareBazaar
TLSH T1AE34021134A1C872C42B8975147AE690AA3FB56257F6C98727280A7B2F323C2777E347
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 020604051a183000 (1 x RedLineStealer, 1 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.169.175.136:3004/

Intelligence

File Origin
# of uploads :
4
# of downloads :
277
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-14 13:26:32 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/3904e905-38e7-4094-aa65-1d97a3458391

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/419039/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97644/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64b14c7358ac422b7cce5dfd/reports/b98122db-29d5-43e2-bd12-c1de0d92916a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bfb3f0e1-19dc-4b02-9d15-56dc1b177c02
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273202
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-14 13:24:07 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4j7azbazgzleaqdfstgppzct4nbhyauip5suzgt6lfvdtzp7ij3q._file
Verdict:
malicious
Similar samples:
02faea4481281e7d6e4bd48f06e969b6a9854d4746525af6ccae7a9748b49b95
RedLineStealer
1e34106fd70c84ab8a1a0b27425e2f6d53500fc48bbdc5b02041fb3459721473
RedLineStealer
2a5de2e7ec1dcc3e5b3c1a702b2efd8a60f928dfd641f152212647ed0c067218
RedLineStealer
39ff18916d45394e08dd2c2bd297f30671829ea91812af3c2a0a32b73d274e69
RedLineStealer
57641aef77ca6506c2ae922b35261631de04da377750a3494acbf7ca8951ac9b
RedLineStealer
5a6efc81f1a3e1c8266cbacdeaf04ee400dfcc3bc5998c6df13e68ad6f51cdc7
RedLineStealer
642fb7de5f7e3d2b625c2b1fe905e9bb26445460d0ed3904eb0ca6d708edc7aa
RedLineStealer
e6b5e4a15de0758793c71dd1b8ae4b6362a127148f70e25d8844156f114a86c0
RedLineStealer
f22e976a3cc892e7c21cf6e222d0cf2e0e6c0dc0f7b882c7ac8d365a1e3b4cd1
RedLineStealer
+ 119 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (bot: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230714-qncwbsfa8v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
147.135.165.22:17748
Unpacked files
SH256 hash:
61b665c9d8c6bb36efbc081af7030d7e718131d9127c78d7c48471b3c49d0b11
MD5 hash:
ef52db00c32eeb6297612393e4b31d27
SHA1 hash:
e3df44ad822b71873567544c7894f91aa19f87b5
Link:
https://www.unpac.me/results/381e61e9-d628-4a24-be33-594a221e8dcf/
SH256 hash:
e6d5c75e062e590de5bccb3f2d348da93d3369060ac4724a097df9a84bc2906c
MD5 hash:
dee4dac93828efe1377fd597e394bb91
SHA1 hash:
b618a9f382ff66393bd564307d9bd908626555b1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/381e61e9-d628-4a24-be33-594a221e8dcf/
Parent samples :
904dc186be98665e05bbadc41d8e5e6aea449d40027e726c96dc184c15e77c8f
b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277
6b714efecfe9f33ea5f6d1e9b3ef6f7a6b360e68d0fc4ab27026aa0a9a81ccf0
84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d
2fc938491c21e70d94e8de8846ed3d9c32c333b868bd4e6345a28738c2524026
SH256 hash:
69cdae1909872cf0df31b20fea0b448ea41e51203a664f5f309f5d5e27ee90e3
MD5 hash:
c4e84afb3e6ac5912f3ce8f7c37ce5ff
SHA1 hash:
a553d631ac0142489230feb92cc1cca38596dffc
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/381e61e9-d628-4a24-be33-594a221e8dcf/
Parent samples :
904dc186be98665e05bbadc41d8e5e6aea449d40027e726c96dc184c15e77c8f
b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277
6b714efecfe9f33ea5f6d1e9b3ef6f7a6b360e68d0fc4ab27026aa0a9a81ccf0
84cb05a98d0a30fc3fa3612201a356e5b5400aa08762d5e12369dc07f77f938d
2fc938491c21e70d94e8de8846ed3d9c32c333b868bd4e6345a28738c2524026
SH256 hash:
4746a9777ee10aceaf482c9f7aa48c7e8e688a9f2e105ed40565867736b7db5b
MD5 hash:
baf4c16080b5a398b82067484c3fe88b
SHA1 hash:
5f127ae2c31d9f6b7042f62bf49c3c2720151a56
Link:
https://www.unpac.me/results/381e61e9-d628-4a24-be33-594a221e8dcf/
SH256 hash:
e27e0c8419365640406594ccf7e453e3427c02887f654c9a7e596a39e5ff4277
MD5 hash:
1fb26f11ae2a9bd3e8550609aded48eb
SHA1 hash:
2ce4eecded3dc1249523c53852c57aad5d521145
Link:
https://www.unpac.me/results/381e61e9-d628-4a24-be33-594a221e8dcf/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e27e0c841936/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/419039/
  
URLhaus
https://urlhaus.abuse.ch/url/2682583/
  
URLhaus
https://urlhaus.abuse.ch/url/2682625/

Comments