MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
SHA3-384 hash: 185e0cd599efe74f03cdc759f36e633d78720426f9e2194fbab68c2f7ae0561c2e06fe7e91d690756873f9e791606b39
SHA1 hash: 644eef3bb78b0e340b2f4977dc0c17b26889603b
MD5 hash: e00743a06378fdc48df81c57ff27c80c
humanhash: sweet-echo-grey-pennsylvania
File name:e00743a06378fdc48df81c57ff27c80c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:818'801 bytes
First seen:2021-03-16 19:28:39 UTC
Last seen:2021-03-16 21:31:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2fb819a19fe4dee5c03e8c6a79342f79 (56 x Adware.InstallCore, 8 x RedLineStealer, 7 x Adware.ExtenBro)
ssdeep 24576:4yIYo8isrRt4d0oCoQ5u7d33mBJxl0dUMfYCr:4ym8isVtfoCoQZl0dUMwCr
Threatray 59 similar samples on MalwareBazaar
TLSH A305231299524BB0E0918AB82E7F4175C637FD311438144C3BD99DBD2F6A762EEBCB81
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e00743a06378fdc48df81c57ff27c80c.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-16 19:44:27 UTC
Tags:
installer
Link:
https://app.any.run/tasks/6b5e0bd5-9baa-49f8-983d-d0db68cb7199

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124424/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b8b4f2c-6f04-486b-99c4-5af5e6005cc6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/641317
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369633 Sample: jD8oMLSIrf.exe Startdate: 16/03/2021 Architecture: WINDOWS Score: 46 56 s3-1-w.amazonaws.com 2->56 58 bitbucket.org 2->58 60 bbuseruploads.s3.amazonaws.com 2->60 76 Found malware configuration 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Yara detected RedLine Stealer 2->80 82 5 other signatures 2->82 10 jD8oMLSIrf.exe 2 2->10         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\jD8oMLSIrf.tmp, PE32 10->48 dropped 13 jD8oMLSIrf.tmp 30 17 10->13         started        process6 file7 50 C:\Program Files (x86)\...\is-75GT6.tmp, PE32 13->50 dropped 52 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->52 dropped 54 C:\Program Files (x86)\...\is-D2TPJ.tmp, PE32 13->54 dropped 16 jason.exe 3 13->16         started        19 cmd.exe 2 13 13->19         started        21 cmd.exe 1 13->21         started        23 3 other processes 13->23 process8 dnsIp9 74 Injects a PE file into a foreign processes 16->74 26 jason.exe 16->26         started        29 iexplore.exe 73 19->29         started        31 conhost.exe 19->31         started        33 certreq.exe 21->33         started        35 conhost.exe 21->35         started        62 iplogger.org 23->62 64 iplogger.org 23->64 37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        41 conhost.exe 23->41         started        43 iexplore.exe 23->43         started        signatures10 process11 dnsIp12 66 api.ip.sb 26->66 68 87.251.71.75, 3214, 49735, 49747 RMINJINERINGRU Russian Federation 26->68 45 iexplore.exe 29->45         started        70 iplogger.org 88.99.66.31, 443, 49719, 49720 HETZNER-ASDE Germany 33->70 process13 dnsIp14 72 iplogger.org 45->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37/
Threat name:
Win32.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 19:29:06 UTC
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
RedLineStealer
0c7591403c6672c67cd0fbb1a7d4db34a224e5388a81a82a725811999bc49b4e
RedLineStealer
267adb8b92c06ae53186fc26b40caf4d9e1ae4893475b2d1d8f29b040c67d9b4
RedLineStealer
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
RedLineStealer
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
RedLineStealer
7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9
RedLineStealer
9fd72df8cc980ea1257a11c3e64acb9b004caa7670dbe36f021615ce636b567a
RedLineStealer
b12941d367baf1228f6d262c4696b267cd1d36e600742aaf1fee00582fe1ea07
RedLineStealer
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
RedLineStealer
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
RedLineStealer
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210316-6pes49a322/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
956e29ab9a4ff14e1a4948baf609e4795e8db37a534afb78f189476c97c82093
MD5 hash:
60a6fa3fd03894911b58666ed166d0f5
SHA1 hash:
1d6e44fd878c62769cd58c821c5c23a4e1ad69f4
Link:
https://www.unpac.me/results/8c88eb4e-5230-4a8a-a1c8-a46916f77f95/
SH256 hash:
965635c941cfe2bb0a23259593e78e89e1fd6fd5d5489bced26b47184336df9e
MD5 hash:
d64dc981fc183fe170585bcffc04e51b
SHA1 hash:
c4aa899058d548af4cbb77533ccd531e1a7253a0
Link:
https://www.unpac.me/results/8c88eb4e-5230-4a8a-a1c8-a46916f77f95/
SH256 hash:
5ba8441fe52b059e6b7db5cba6a8d2e1e132b7e7fc97ceeb0c741fa5f8e90331
MD5 hash:
e75ad534ae98c2de24e752421bd2548b
SHA1 hash:
88970520cc4c813e0280c5ebcd0bd0878e87933e
Link:
https://www.unpac.me/results/8c88eb4e-5230-4a8a-a1c8-a46916f77f95/
SH256 hash:
1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc
MD5 hash:
8f85df46a482b5b068ae7667bf1a33d6
SHA1 hash:
a210d369311aa4d709dc962c634174738576907e
Link:
https://www.unpac.me/results/8c88eb4e-5230-4a8a-a1c8-a46916f77f95/
SH256 hash:
6d985efac2b7f469a0b4b0e861b655639a3aa4d3c606eff5f7de8e8b67b4e270
MD5 hash:
165ea34bd74f45a6931de83b86ed5e51
SHA1 hash:
ce1cceba9e50519d9999b14bc16945d6130a3170
Link:
https://www.unpac.me/results/8c88eb4e-5230-4a8a-a1c8-a46916f77f95/
SH256 hash:
e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
MD5 hash:
e00743a06378fdc48df81c57ff27c80c
SHA1 hash:
644eef3bb78b0e340b2f4977dc0c17b26889603b
Link:
https://www.unpac.me/results/8c88eb4e-5230-4a8a-a1c8-a46916f77f95/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1071278/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124424/

Comments