MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2cde06324619e2e4d6506fd8d3d41272c6484705ee9f68ed30d87cd0751dd30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2cde06324619e2e4d6506fd8d3d41272c6484705ee9f68ed30d87cd0751dd30
SHA3-384 hash: e5d5448b9999455833ff1c8fde15ac31146a63913516dccfa1c4dab1ca8dbb1793b6043a33459cb10a42081d16d035ab
SHA1 hash: 2d4650d9375e1944c1acf91cd25abb3d88c5755e
MD5 hash: 6a4b85f6f14b8f930f545580390b0f06
humanhash: happy-angel-kitten-dakota
File name:Installer.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:458'752 bytes
First seen:2022-09-08 14:23:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f55fc0481fe939f858f6e3c9baf7b16 (12 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:tEQjW6+N0xrAMixvqwp1ZD4fRJt70iQqBkX7CkPTBa5TRaZG0iN0r806hIdJFjkA:tTrslXZ0fXt75Qqs5M0rUmdJFjkwxt
Threatray 2'754 similar samples on MalwareBazaar
TLSH T109A48E11F9B2C0B3D5639AB1D87DC32D247A7A201B2149EB6FC019B86EE43D16970F67
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter tech_skeech
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
No threats detected
Analysis date:
2022-09-08 14:26:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81b418ac-5fa0-44dc-8e88-b3a083fba222

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308807/
Detection(s):
SecuriteInfo.com.Variant.Lazy.241246.32081.18242.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37084/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6319fb60bdec86ddb45cf0d1/reports/387b189d-6a88-455b-84a0-a3238afbbdbd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebc25242-0043-49eb-a388-5276230a5821
Result
Threat name:
DCRat, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067217
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected DCRat
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 699748 Sample: Installer.exe Startdate: 08/09/2022 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 8 other signatures 2->53 8 Installer.exe 1 2->8         started        process3 signatures4 63 Writes to foreign memory regions 8->63 65 Allocates memory in foreign processes 8->65 67 Injects a PE file into a foreign processes 8->67 11 AppLaunch.exe 15 5 8->11         started        16 WerFault.exe 23 9 8->16         started        18 conhost.exe 8->18         started        process5 dnsIp6 41 185.106.92.8, 38644, 49775 SUPERSERVERSDATACENTERRU Russian Federation 11->41 43 siasky.net 89.248.168.48, 443, 49750 INT-NETWORKSC Netherlands 11->43 45 pastebin.com 172.67.34.170, 443, 49749, 49754 CLOUDFLARENETUS United States 11->45 33 C:\Users\user\AppData\Local\Temp\module.scr, PE32 11->33 dropped 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->71 73 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->73 75 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 11->75 77 3 other signatures 11->77 20 module.scr 1 11->20         started        35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->35 dropped file7 signatures8 process9 signatures10 55 Machine Learning detection for dropped file 20->55 57 Contains functionality to inject code into remote processes 20->57 59 Writes to foreign memory regions 20->59 61 2 other signatures 20->61 23 AppLaunch.exe 20->23         started        27 conhost.exe 20->27         started        29 WerFault.exe 20->29         started        31 WerFault.exe 20->31         started        process11 dnsIp12 37 176.126.103.211, 49763, 49765, 49766 SAARGATE-ASVSENETGmbHDE Ukraine 23->37 39 192.168.2.1 unknown unknown 23->39 69 Tries to harvest and steal browser information (history, passwords, etc) 23->69 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2cde06324619e2e4d6506fd8d3d41272c6484705ee9f68ed30d87cd0751dd30/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 14:24:08 UTC
File Type:
PE (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4lg6ayzemgpc4tlfa36y2pkbe4wgjbdql3u7ndwtbwd42b2r3uya._file
Verdict:
malicious
Similar samples:
1bae10e7936ad33a97a18bbb0268a7458e0fb36f9498786d003e8fc73f2eb6e8
RedLineStealer
1d6f39132b603b5e70cbf8cf56c2470717a4ec85e79ec13fb99766b267ff0fd7
RedLineStealer
485dfdf671d1c6f97c26b2efbf0e19a0703571a95543b56a4233fd54707c3aa2
RedLineStealer
52651bd3091f375b41b38aeeffd45d4df8fe0b1763fb6788756b473e6f96b5e2
RedLineStealer
75c9e2a6c3d9196c4ea851f90401d6b9acae07489a41d462a462e42f26780215
RedLineStealer
84bdcbcb4f0c101eaf448ef5c1d727590b3a35e08a9fd94cc21b500760c8d172
RedLineStealer
b1875400f6f240321a2d3e23ad0fd8ef4234d80c57c3b151f28f98fde13ab623
RedLineStealer
d3e129d7d38d514584d7c468f749c2ccec3e321e731af52b88704d083b2abf84
RedLineStealer
db712cfee73091f2f54d00783998b90b73cff3f8ebf651814e499f3b1d8c2f4a
RedLineStealer
e3f6666bcc343098a21a2c52ee8a63d03c042b9dfd4cb1dfbf984c6d0e985da0
RedLineStealer
+ 2'744 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:redline infostealer rat spyware
Link:
https://tria.ge/reports/220908-rqptcabhgp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Downloads MZ/PE file
Executes dropped EXE
DCRat payload
DcRat
RedLine
Malware Config
C2 Extraction:
185.106.92.8:38644
Unpacked files
SH256 hash:
92e69278d56f1a2848bf1c3fc5b1b559ceeab60d0620a17d9f49bf0508a54a11
MD5 hash:
46d5ad6a335f838448031f01b5778c81
SHA1 hash:
6789da14d5c171c88e9f92993e47b5bd87907344
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0406526e-7812-44c8-95df-f437701a6202/
SH256 hash:
e2cde06324619e2e4d6506fd8d3d41272c6484705ee9f68ed30d87cd0751dd30
MD5 hash:
6a4b85f6f14b8f930f545580390b0f06
SHA1 hash:
2d4650d9375e1944c1acf91cd25abb3d88c5755e
Link:
https://www.unpac.me/results/0406526e-7812-44c8-95df-f437701a6202/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2cde0632461/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2cde06324619e2e4d6506fd8d3d41272c6484705ee9f68ed30d87cd0751dd30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e2cde06324619e2e4d6506fd8d3d41272c6484705ee9f68ed30d87cd0751dd30

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/308807/

Comments