MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4be789966545fa9adaa51e05382ebbd075b740d6c645cccb8d8ecab3305a92e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4be789966545fa9adaa51e05382ebbd075b740d6c645cccb8d8ecab3305a92e
SHA3-384 hash: afdf6b30cdaabc82781b479396231309a5c13986d78bf41021627492ed1f177a37b9f80e5af6c3b591645706dfa5afd7
SHA1 hash: f9b4fedba893f241851c29aa7a93dbc2a8a2fee8
MD5 hash: 3e88c11d9b4cbdf2e30c039521a3ba7d
humanhash: magazine-delaware-rugby-music
File name:3e88c11d9b4cbdf2e30c039521a3ba7d
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:250'880 bytes
First seen:2021-11-17 13:05:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 3072:eGDKW1LgppLRHMY0TBfJvjcTp5XyQmmVuKFl1q3ujsA8zsUZaDf:fDKW1Lgbdl0TBBvjc/Em4KNPYA8zM
Threatray 4'203 similar samples on MalwareBazaar
TLSH T16134CF217180C1B2C4B7163084E6CA795A7A3D611B7991C7BBD93BBA6F313D1A3362CD
File icon (PE):PE icon
dhash icon 2627938667230b3b (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e88c11d9b4cbdf2e30c039521a3ba7d
Verdict:
Malicious activity
Analysis date:
2021-11-17 13:25:36 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/211d9f0a-74bc-4917-a1db-7fb51738d915

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6194fe062695a62af9f22acb/reports/4d2a0eb0-3ec7-4143-ab43-415492cb3520/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17cfbfeb-926f-4f3f-8765-de4c41eb025f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/891138
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4be789966545fa9adaa51e05382ebbd075b740d6c645cccb8d8ecab3305a92e/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 20:50:07 UTC
AV detection:
32 of 45 (71.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4s7hrglgkrp2tlnkkhqfhaxlxudvw5annrsfztfy3dwkwmyfvexa._file
Verdict:
malicious
Similar samples:
32a870968707205b82b21b74b8e7e295221dd3ef81a6ee67cab7cf5628c89f2d
RedLineStealer
777c3247006fe2a81472de7916225585926e34ed5bf1a3f4d4564320706c283b
RedLineStealer
ca7b59a716d7f6caf24ad2258751b0a3fb8fd174a3c36e44375178500f7714d9
RedLineStealer
f14f18ed96467a5005fd9bc67ff6b4a2c253a2438461880fff9d5cee2a26959d
RedLineStealer
f6431102d6d67aa4d92ba78d123a063f728289b3004ef1e6dcd44c4f52249408
RedLineStealer
+ 4'193 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:bank logs discovery infostealer
Link:
https://tria.ge/reports/211117-qbkemshfgj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
RedLine
RedLine Payload
Malware Config
C2 Extraction:
64.56.67.136:55730
Unpacked files
SH256 hash:
e4be789966545fa9adaa51e05382ebbd075b740d6c645cccb8d8ecab3305a92e
MD5 hash:
3e88c11d9b4cbdf2e30c039521a3ba7d
SHA1 hash:
f9b4fedba893f241851c29aa7a93dbc2a8a2fee8
Link:
https://www.unpac.me/results/301d20d1-d203-4bba-8c6c-8b9d488b4ea2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e4be78996654/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4be789966545fa9adaa51e05382ebbd075b740d6c645cccb8d8ecab3305a92e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e4be789966545fa9adaa51e05382ebbd075b740d6c645cccb8d8ecab3305a92e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/206793/
  
URLhaus
https://urlhaus.abuse.ch/url/1797528/

Comments


Avatar
zbet commented on 2021-11-17 13:05:05 UTC

url : hxxp://2.56.59.42/US/UnletDeejay1500.exe