MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2cbb58752989acbe54be6eecd826d919a8ec7370e350533e9502fee6e8ebd09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2cbb58752989acbe54be6eecd826d919a8ec7370e350533e9502fee6e8ebd09
SHA3-384 hash: 1b4c30ddcc5d1874f23b036eb790af423e3524ff4927d6bc3680b0de6cab1bff83c79927a08c84e5c3c8e3b2030a34dc
SHA1 hash: 2bdca2fe5c06489ea5a7617c4ee3e4fdb1e2f075
MD5 hash: 076a2ef01636ec785bb175d8cc135b9e
humanhash: magnesium-beryllium-utah-connecticut
File name:SecuriteInfo.com.Trojan.GenericKD.39285897.14822.11401
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:564'736 bytes
First seen:2022-03-21 18:14:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:WEF0ZRDuSuQ8DnQS03ULaHNqrxlKIQNoz/ptWykbhEV:lFKrudrkEaHNYK3Q/7zkbhm
Threatray 1'800 similar samples on MalwareBazaar
TLSH T1CCC42363A3C0FB5AD84B06F50D4A6BD92152453533D0B09DFA7D6F84733C066AAAD2BC
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/253760/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.39285897.14822.11401.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6238c0e20cd58dbd92d07256/reports/e32e9f45-8755-4912-8032-d60bffaae96a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c0d484b-85cd-42f3-a1f7-e72a34330588
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961061
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2cbb58752989acbe54be6eecd826d919a8ec7370e350533e9502fee6e8ebd09/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-18 13:30:58 UTC
File Type:
PE (Exe)
AV detection:
20 of 27 (74.07%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4lf3lb2stcnmxzkl43xm3atnsgni5rzxby2qkm7jkax643uoxueq._file
Verdict:
malicious
Similar samples:
11e0356d05bfe20ce7b6cac8cde325be4b32acbacfa391429322de065e9ab6ed
RedLineStealer
131ee99afd92973afbf840c3c40dca30629c2d2fe05d6e26d6a34e7af65b8d68
RedLineStealer
312783a788b6b11c7921d2836059c7beb80adcc4d4162f80bb6a3cf5d20b80c3
RedLineStealer
473fe6b6035aa5b2b061b617b74a6bebec1ed246a2dcaaf66144c22be24776f1
RedLineStealer
71f203f4c3e11a93dcab88f4d288d8758bd584615eacd059baaa08041979bf25
RedLineStealer
8e608482cad57e0b61c813e96639f62abd854f069f49d68807c966ccadc518d5
RedLineStealer
a83c10a38408972dbc7d9daf66e2dd8c9bb6545e9e4f81c2097214ebe2a16119
RedLineStealer
bac79cf2d4bcb54ed3d8d90f65d67ff94046f31f6ac05c7e04194953ae793f0d
RedLineStealer
c04dfc2917dffe8977dd0e59c0750b6a088960b0c1302ee825e56b8f175ff33c
RedLineStealer
dfd82ea53bb1196fc2e079063358063b524142778c754259045e4541c60d7c1d
RedLineStealer
+ 1'790 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220321-wvyz2ahgdn/
Behaviour
Program crash
Unpacked files
SH256 hash:
fb9cfb9ae25d0bab2e3cfd4f70677b486441a96c35f098cf16602d04ded88ad3
MD5 hash:
136deaaf0c2c2bd1ed187651b79d4d8a
SHA1 hash:
dc2f34ee30b8c41548e0f3388fc81f93f7dba507
Link:
https://www.unpac.me/results/6777535a-4aa4-4abc-8f03-397bc8080d39/
SH256 hash:
332b5c267bcdfc9332bf026d9120ddcc0b988de39de9856ad9e15af8132c513e
MD5 hash:
d694359f1190aaa0bf94d81c51047e1f
SHA1 hash:
ad681ec233ad72fb4975fe1f44f4f67adc027263
Link:
https://www.unpac.me/results/6777535a-4aa4-4abc-8f03-397bc8080d39/
SH256 hash:
e2cbb58752989acbe54be6eecd826d919a8ec7370e350533e9502fee6e8ebd09
MD5 hash:
076a2ef01636ec785bb175d8cc135b9e
SHA1 hash:
2bdca2fe5c06489ea5a7617c4ee3e4fdb1e2f075
Link:
https://www.unpac.me/results/6777535a-4aa4-4abc-8f03-397bc8080d39/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e2cbb5875298/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2cbb58752989acbe54be6eecd826d919a8ec7370e350533e9502fee6e8ebd09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e2cbb58752989acbe54be6eecd826d919a8ec7370e350533e9502fee6e8ebd09

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2109332/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/253760/

Comments