MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2bb30a8cc27e2d95a89ed4656c4f3af6f6be8772494f3ad6b64893412b86f1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2bb30a8cc27e2d95a89ed4656c4f3af6f6be8772494f3ad6b64893412b86f1e
SHA3-384 hash: f290c6b386f5ca21219a5c86b77cf7e1e3a78895b4220f3854d71573ce1209883cb3d3342a4d98805098adbb9638ce28
SHA1 hash: 00e611ec70c4af2c5fb02da85d03479e908d78fa
MD5 hash: f7ddcbc0c830b5aa4ca259e4138250d8
humanhash: bakerloo-queen-lake-jersey
File name:f7ddcbc0c830b5aa4ca259e4138250d8
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:102'400 bytes
First seen:2021-06-22 19:09:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 1536:hkVxhu2jizhorkppz3YA7F2OGw1Fd04B1fvjqiGGyPXrDfy/Nh/w/m9xxoMm7:ePdeorkDYA7oo1r/fbaGyPr+3UmC3
Threatray 496 similar samples on MalwareBazaar
TLSH B9A3E18C7664326FC892CA718DAC4CA0BF2025364B4BC157E44B40F95A6D78BDF52BF6
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f7ddcbc0c830b5aa4ca259e4138250d8
Verdict:
Suspicious activity
Analysis date:
2021-06-22 19:12:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d42aaf9f-5a12-4210-abc7-41cf30621e70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167673/
Detection(s):
Win.Packed.Redline-9871569-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b67eb9a-22bf-4722-aa7b-73bbba16b332
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/806224
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2bb30a8cc27e2d95a89ed4656c4f3af6f6be8772494f3ad6b64893412b86f1e/
Threat name:
ByteCode-MSIL.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 16:14:29 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4k5tbkgme7rnswuj5vdfnrhtv5xwx2dxeskphlllmsetievyn4pa._file
Verdict:
malicious
Similar samples:
1720e03faab70e324d64b586f3ddbdb1a48169dd54d3e477c4a73a7e6d27ce97
RedLineStealer
17c9de3887c482af3a7902e7e6e2247bf1b03d1819508f03557afbeae7c18e90
RedLineStealer
2738373f0b008beb61553747e56cb623befa5e44a43b322cc4b74e7508ec24cb
RedLineStealer
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
RedLineStealer
4affde0906145b59b617833571ec9ee44d87eb82c4f159a6ead5fd0a49fdc5db
RedLineStealer
5576e6d2bde0df49ee885579d495ccacc2f3a21b45c512224f4180f96c0672b8
RedLineStealer
5677b9d1528c45370a17cd4b68fc443862d4304ef1bca005c369c8c1d9158a62
RedLineStealer
b38276257c15d7c08d18479f37681b9a5bdc720d1e767010b82bebb0fb00038d
RedLineStealer
c7d8d4db5e3b3e5138ec47d758454b7bb0bb418a8cbb7f00dc1ee2211c92716d
RedLineStealer
f93f28f9a2d3fd6de1862806f61d41a50d6ba76bae3a5e2e0fcdc3a495530eca
RedLineStealer
+ 486 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@moklopoh infostealer
Link:
https://tria.ge/reports/210622-b8d3y6f47a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.81.227.32:22625
Unpacked files
SH256 hash:
b82672e44baffb8fe79d2aaa94b7c7b52fa89198c921e6e193101af2aa55efcf
MD5 hash:
9af5246ac78b7c5d37427c908eb99127
SHA1 hash:
ee0340c81a46f6165d319d5813c2dce8e46068bb
Link:
https://www.unpac.me/results/08893312-cb3b-4f77-9727-7612155db6fb/
SH256 hash:
ec3cfbd405d320768e032b2cf7570088597409a584b9928e8e78ac8e659cbb30
MD5 hash:
0f7881d9fbb34b4e45e32d96249adf71
SHA1 hash:
c7c718dfa8db2c804effa2b0befa7d8e9c865ba9
Link:
https://www.unpac.me/results/08893312-cb3b-4f77-9727-7612155db6fb/
SH256 hash:
e2bb30a8cc27e2d95a89ed4656c4f3af6f6be8772494f3ad6b64893412b86f1e
MD5 hash:
f7ddcbc0c830b5aa4ca259e4138250d8
SHA1 hash:
00e611ec70c4af2c5fb02da85d03479e908d78fa
Link:
https://www.unpac.me/results/08893312-cb3b-4f77-9727-7612155db6fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2bb30a8cc27e2d95a89ed4656c4f3af6f6be8772494f3ad6b64893412b86f1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e2bb30a8cc27e2d95a89ed4656c4f3af6f6be8772494f3ad6b64893412b86f1e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167673/
  
URLhaus
https://urlhaus.abuse.ch/url/1389248/

Comments