MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5141add8f1032a8e9bd792163b4e39187d2909007fa715b611d23264dddd1a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5141add8f1032a8e9bd792163b4e39187d2909007fa715b611d23264dddd1a7
SHA3-384 hash: f44340d09a031fa81e57eb39e3cd8e51192da847989818996b4760447bfbf165738a9c39d0f55429d4ee4c0a2a1f9159
SHA1 hash: 180a572b5acb4b46dd7409687de02853f2d22ba3
MD5 hash: 5b9d0e469f3e41df3452a177fcedaf14
humanhash: diet-oven-mango-november
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:777'216 bytes
First seen:2022-06-07 21:06:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:1aH0ODSl7HzS1mKLMI+stqfhS52iNd9qcJX9ATkZGanbh/1qReT2YTAyjfrQlePE:m0DHO1rCo51ndJuTkZGa9UR0zrt2X
Threatray 1'719 similar samples on MalwareBazaar
TLSH T10FF4E044B716EC7EF0294E37A8A1440427B0425E82BBE767A5CD36CD745F7CB0AF6A42
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.133.1.3:32790

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.133.1.3:32790 https://threatfox.abuse.ch/ioc/664284/

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
Malicious activity
Analysis date:
2022-06-07 21:09:56 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/3c6d8eda-c42c-4dfc-9cbd-98da345420ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277506/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/629fbe356aa17a21fc2ab11f/reports/a5441e7c-1961-4885-b5ef-c8403eaa19d8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/622f0336-722b-4230-8180-658651460d5b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1008553
Signature
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5141add8f1032a8e9bd792163b4e39187d2909007fa715b611d23264dddd1a7/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 21:07:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ukbvxmpcazkr2n5peqwhnhdsgd5feeqa75hcw3bdursmto52gtq._file
Verdict:
malicious
Similar samples:
201b2f41c62365df33280901cebbdefbd7bf70b35afe43d1a91f50e68c67e4d9
RedLineStealer
3331deb34392052ae790d4977ae1f7b50118ff35973b6555b5bb367917f09da1
RedLineStealer
4101090ade3774633d6ad416ca263c15a6890dd865f493d0f1ea3a2fcfddb2bf
RedLineStealer
5867949f46108ef444395ab2eebc994b0f48867e98313ecd5d57901fa8ab5acd
RedLineStealer
61243f6ee29e430e41dd9a380199a647daae46856a20f7c3ec7d80761b054060
RedLineStealer
740cc8f312eef16d83b7c49fe33519ae293bf1c1c2f80e0482c34ea3a9473843
RedLineStealer
82578106bfc35be9594b1a11389b52c8765e951b82ecee42cb1a200addc3d8a2
RedLineStealer
8a6bffed79d6eb5c57b4eb47aba7789b3498b54845519a8db65bc1de3f37d982
RedLineStealer
b704daa4a8ddc8d03b453d35507dc2c77a42cd96b5ee0fce810a51dc00fdee6c
RedLineStealer
d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee
RedLineStealer
+ 1'709 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:chief discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220607-zyandsgcdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.133.1.3:32790
Unpacked files
SH256 hash:
4c45fe9efd4a6fb32ca4deafc27c03700f5f4ddae6fe904be76897e559e399b0
MD5 hash:
600e6154541add201cdcb15ad00388e9
SHA1 hash:
f9be6755336b58fa6addf3b0a5f2fdbf1e10efba
Link:
https://www.unpac.me/results/cd5bcd66-e692-4f8c-9961-973cf9a79f18/
SH256 hash:
5e1db8769b3c633a55520fcaa31318d64f73be1a7d14310a6eaf2fb487fca75b
MD5 hash:
a8dd35ca5e79650e0a802d89fef231f7
SHA1 hash:
ba9f57d4fb244cc216257dfaae654e539f5f980f
Link:
https://www.unpac.me/results/cd5bcd66-e692-4f8c-9961-973cf9a79f18/
SH256 hash:
4b3059a1fcd6c58c7fc4e574766133e89e95cb0fe6631b7f4aee664370c2571d
MD5 hash:
97f6ddc9c7e648e589849d8d6466bc18
SHA1 hash:
1104888244c872d5726728e0cb05ae6edaabf2bf
Link:
https://www.unpac.me/results/cd5bcd66-e692-4f8c-9961-973cf9a79f18/
SH256 hash:
8917d1b6d004c170340293280921244a898e883ba23ee3146f77d3bb88d79a06
MD5 hash:
e2c889d59bff3edcd90fc712fea0a302
SHA1 hash:
d5b2664d691d22ca98b6f5ba13de1e5088091a14
Link:
https://www.unpac.me/results/cd5bcd66-e692-4f8c-9961-973cf9a79f18/
SH256 hash:
e5141add8f1032a8e9bd792163b4e39187d2909007fa715b611d23264dddd1a7
MD5 hash:
5b9d0e469f3e41df3452a177fcedaf14
SHA1 hash:
180a572b5acb4b46dd7409687de02853f2d22ba3
Link:
https://www.unpac.me/results/cd5bcd66-e692-4f8c-9961-973cf9a79f18/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5141add8f10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/e5141add8f1032a8e9bd792163b4e39187d2909007fa715b611d23264dddd1a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277506/

Comments