MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e44039074cefd09367970c1bd8be052e4ce4cbebd7bdeaa3b495391def0fb2f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e44039074cefd09367970c1bd8be052e4ce4cbebd7bdeaa3b495391def0fb2f9
SHA3-384 hash: 2850f3684dd678d69fb536fadb848e530e619a73a09db42277e664752cd3b225e4e64c5fc62027166d17a8a51510bda5
SHA1 hash: 5f4a15cb4749755d7b3e0c87523436e57ca616bd
MD5 hash: 0c35a9ba848af55c69574a6676896167
humanhash: lion-oxygen-papa-pennsylvania
File name:0c35a9ba848af55c69574a6676896167.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'189'888 bytes
First seen:2022-08-27 21:26:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:U5SrEl6dNKcxhY6YKTXGsDgMfadq8o/Dl6SkJGAMBU:UMSc8grl6SkBMB
Threatray 2'044 similar samples on MalwareBazaar
TLSH T119455D29E74715B9DA635771858EEB7B9B147A248022AE3FFF4BDA0CB4330133C85256
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.55:15912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.55:15912 https://threatfox.abuse.ch/ioc/845791/

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0c35a9ba848af55c69574a6676896167.exe
Verdict:
Malicious activity
Analysis date:
2022-08-27 21:28:02 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/317123d4-c821-4061-8139-109b1d2b6e53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301704/
Detection(s):
Win.Malware.Generic-9964431-0
Create hunting rule

Win.Spyware.Fragtor-9964509-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30393/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/630a8c6d05ef0c24e42b63d3/reports/2c8a99d8-771b-4247-860d-8907b03c2804/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4777f78-f105-457e-8847-d6b4d8a85b28
Result
Threat name:
RedLine, YTStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059044
Signature
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected YTStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 691562 Sample: M83j7zvU0c.exe Startdate: 27/08/2022 Architecture: WINDOWS Score: 100 29 goback.delivery 2->29 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 8 other signatures 2->45 8 M83j7zvU0c.exe 1 2->8         started        signatures3 process4 signatures5 49 Writes to foreign memory regions 8->49 51 Injects a PE file into a foreign processes 8->51 11 AppLaunch.exe 15 8 8->11         started        16 WerFault.exe 23 9 8->16         started        18 conhost.exe 8->18         started        process6 dnsIp7 31 185.215.113.55, 15912, 49710 WHOLESALECONNECTIONSNL Portugal 11->31 33 5.252.177.92, 49725, 80 MIVOCLOUDMD Moldova Republic of 11->33 35 185.143.223.25, 49724, 80 INFORMTECH-ASRU Russian Federation 11->35 23 C:\Users\user\AppData\Local\...\filename.exe, PE32+ 11->23 dropped 25 C:\Users\user\AppData\Local\...\filename.bin, PE32 11->25 dropped 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->53 55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 59 Tries to steal Crypto Currency Wallets 11->59 20 filename.exe 11->20         started        37 192.168.2.1 unknown unknown 16->37 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->27 dropped file8 signatures9 process10 signatures11 47 Multi AV Scanner detection for dropped file 20->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e44039074cefd09367970c1bd8be052e4ce4cbebd7bdeaa3b495391def0fb2f9/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-24 16:03:22 UTC
File Type:
PE (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4radsb2m57ijgz4xbqn5rpqffzgojs7l2666vi5usu4r33ypwl4q._file
Verdict:
malicious
Similar samples:
01716384eb4a3eb63b01f58a5316c96fd64e5afd03080eca777c7ed1fb63c272
RedLineStealer
4ec607dfd56b569bd39672d1e07326d58a2bf51c94468aa6b684a538e3060e14
RedLineStealer
4ff647517c0dcc43d4269fc35b9198143b8edd4c3f4e5f200cdbb3e54709a527
RedLineStealer
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
RedLineStealer
8d51031f46ccce52c5c5d425ad654914c78865bb875bd551bba171a805830e9e
RedLineStealer
8ebb6a267127e1437a1fea7a658729c80947a433b5e9a999f82766b7986bab0b
RedLineStealer
d626b63e65618c3912e53028484168dc213f2bf7cc5b1576bc02817d00724c2d
RedLineStealer
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
RedLineStealer
e803ddc18558dca04c7705867278ab91678921e0825e2f54070bba456702ddd1
RedLineStealer
faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2
RedLineStealer
+ 2'034 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220827-1aq6xagbdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.215.113.55:15912
Unpacked files
SH256 hash:
4ac4e752fe15e306e7fa490cd3ae941b988334182448fb900c6ae905d26ddf00
MD5 hash:
111a8d68d91150432742a4a1bc24ca3f
SHA1 hash:
1ff2a230e7cfaf8140716d3d3a4a01f74358e37f
Link:
https://www.unpac.me/results/d0799604-d808-4444-ba04-0200e16437a2/
SH256 hash:
e44039074cefd09367970c1bd8be052e4ce4cbebd7bdeaa3b495391def0fb2f9
MD5 hash:
0c35a9ba848af55c69574a6676896167
SHA1 hash:
5f4a15cb4749755d7b3e0c87523436e57ca616bd
Link:
https://www.unpac.me/results/d0799604-d808-4444-ba04-0200e16437a2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e44039074cef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e44039074cefd09367970c1bd8be052e4ce4cbebd7bdeaa3b495391def0fb2f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301704/

Comments