MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e545bebf9e0380572b0d7440696cc1c4e687e4c100640f1693c223a91e71b9c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e545bebf9e0380572b0d7440696cc1c4e687e4c100640f1693c223a91e71b9c5
SHA3-384 hash: 6344cb41bcb57b35904019a2723b38b31a412745a33fd8ad8c984708ce4c8f64ecda2fdd90d308efd6da12cbd6637290
SHA1 hash: 824445eb19c92eaf624748c3c0fc6e77a7f617a6
MD5 hash: 6d929b7f6b456a9b24d50dbbfd87624d
humanhash: venus-batman-echo-six
File name:6D929B7F6B456A9B24D50DBBFD87624D.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'281'850 bytes
First seen:2021-08-13 07:56:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2fb819a19fe4dee5c03e8c6a79342f79 (56 x Adware.InstallCore, 8 x RedLineStealer, 7 x Adware.ExtenBro)
ssdeep 98304:ZC0zr0EE1XpTjfP8nkinI648yhPymUQ1Xu2HAOcBCkfp:jSEnlnIv8y8mR1Xkfp
Threatray 115 similar samples on MalwareBazaar
TLSH T14EE5332A7B3A8938EA82997E4C2BFE52C1B7BF494D7D4084346C94992F365F0D052FD4
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
87.251.71.145:12427

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.251.71.145:12427 https://threatfox.abuse.ch/ioc/184314/

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6D929B7F6B456A9B24D50DBBFD87624D.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-13 08:02:02 UTC
Tags:
installer
Link:
https://app.any.run/tasks/99a92781-1589-4831-8508-075fe32bc01f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178876/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46771049.23977.9907.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7096f5d4-82f9-41be-9c7a-48a88b2c4d92
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/832306
Signature
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Check external IP via Powershell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464734 Sample: GffR7Aa88H.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 56 51 45.67.231.40, 49728, 80 SERVERIUS-ASNL Moldova Republic of 2->51 53 telete.in 195.201.225.248, 443, 49723 HETZNER-ASDE Germany 2->53 55 3 other IPs or domains 2->55 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected RedLine Stealer 2->71 73 8 other signatures 2->73 9 GffR7Aa88H.exe 2 2->9         started        12 Chrome updater.exe 2->12         started        signatures3 process4 dnsIp5 39 C:\Users\user\AppData\...behaviorgraphffR7Aa88H.tmp, PE32 9->39 dropped 15 GffR7Aa88H.tmp 30 31 9->15         started        63 iplogger.org 12->63 file6 process7 file8 43 C:\Program Files (x86)\...\l.exe (copy), PE32 15->43 dropped 45 C:\Program Files (x86)\...\is-M4605.tmp, PE32 15->45 dropped 47 C:\Program Files (x86)\...\is-JUF9R.tmp, PE32 15->47 dropped 49 10 other files (7 malicious) 15->49 dropped 18 cmd.exe 1 15->18         started        20 powershell.exe 15 22 15->20         started        24 d.exe 15->24         started        26 4 other processes 15->26 process9 dnsIp10 29 certreq.exe 18->29         started        33 conhost.exe 18->33         started        57 iplogger.org 20->57 75 May check the online IP address of the machine 20->75 35 conhost.exe 20->35         started        77 Injects a PE file into a foreign processes 24->77 37 d.exe 24->37         started        59 192.168.2.1 unknown unknown 26->59 61 iplogger.org 26->61 41 C:\Users\user\AppData\...\Chrome updater.exe, PE32 26->41 dropped file11 signatures12 process13 dnsIp14 65 iplogger.org 88.99.66.31, 443, 49702, 49704 HETZNER-ASDE Germany 29->65 79 May check the online IP address of the machine 29->79 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e545bebf9e0380572b0d7440696cc1c4e687e4c100640f1693c223a91e71b9c5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 02:38:59 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vc35p46aoafokynorags3gbyttipzgbabsa6futyir2shtrxhcq._file
Verdict:
unknown
Similar samples:
1c0eb090ad769cdd943476e9300d57e553ad24f099408334b8c0370ee9bb7648
RedLineStealer
272f11a73d3b4df0108860fabd9a915694b21bb893e2a762abbc1c7176e8c095
RedLineStealer
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
RedLineStealer
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
RedLineStealer
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
RedLineStealer
83836ff69fc304d684edf3d394d45f0d2a8755a4de2d0fd6b06261ffe9336ed7
RedLineStealer
91800daa547a2afed2b16ab87634d0466d24d8769b9573ac7ded4c9f94e627ba
RedLineStealer
9a525086779f276a19bbe2a131cfbd575ade18a4eb6e46f308536d518f0a5210
RedLineStealer
cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95
RedLineStealer
e6df8346cb599d0947c86555aeb55d98dc665448222e383f2384789e78d9e3e6
RedLineStealer
+ 105 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210813-3njgyt5et6/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a3dcfce91ea558c990532400474d7790bf05dae6c94d2d08f9dc03e6a4b78cfe
MD5 hash:
4129dfe407707b059a3b592bdb3fe788
SHA1 hash:
cb8f1e36aa6ec64253001106cf866269e0525d7f
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
4df5a9309fa56be70e89776ebd44709968930200f804fe3bd399dfe6eafe88e4
MD5 hash:
218fc1984b6cff6000fed3ad91836565
SHA1 hash:
a52fabf3d1c26d2bd0128b234a69edb00ed759c0
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
Parent samples :
e545bebf9e0380572b0d7440696cc1c4e687e4c100640f1693c223a91e71b9c5
9a525086779f276a19bbe2a131cfbd575ade18a4eb6e46f308536d518f0a5210
SH256 hash:
4b6130ec93d6e277132dedb514963459741322bff4ab246183d8467a61e2dbfb
MD5 hash:
78c990e3c5da5126634a6ebc4ec6f0d5
SHA1 hash:
3cdd860aac0f7ff4184a3c13fd943cafd547b50a
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
5089ed6b721b33adbbe6bcb945a64b41200376b68ed700b412924dcc69c04f1c
MD5 hash:
541e81632f149d5368c3f45fd616e055
SHA1 hash:
a07597c5edb2ea59a60b5240180e40f6c0ca39de
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
a5ae58520ac3fc3174021bdd49cddc46120611406743422dc4ce7a3b74cb408b
MD5 hash:
acf732ca163008024a47d3df61f97a7b
SHA1 hash:
3b8a2f5756b44c9bca6049e8b785d76971e1a036
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
ce57c54e4fcd1d64106ef23025299710118bbea534bd208ab7fe67c2b9979876
MD5 hash:
eecc8e2569d4cc3b315884ca5d27fc4d
SHA1 hash:
c7438dbb531fe2c797ad490959ea1ab6fb28b361
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
d0f1388a5bc2b98b5719951dfbddef8301ea271b88f1bd702428c6dd4f5cbc08
MD5 hash:
75c89ad5ac82928e697b00b022dc279b
SHA1 hash:
588e4581b278d75bf7984f2cf9bf70e5c6bbed13
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
01ee542d003e244eea6b6e60bc8ba789e635a3a01078ce81631d470d0a513d76
MD5 hash:
45fba463eef3d0784e6672f085edd09a
SHA1 hash:
2db5c7b046b3865ede0ed30e054e03a689cae249
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc
MD5 hash:
6057ce35bd926dd6d49dedfa9cc18372
SHA1 hash:
1f4e44e1740ffbd91129ac3a37d22845bc52c158
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
965ac87458c5517302958ec820dd46699e33326f19c2296088570a5fbbdebeab
MD5 hash:
4e03ea1350d5557fa2ad64c1dc5dbec9
SHA1 hash:
d776df85d4db060cb3a799fe4aaba18c7c77df2a
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
845eef8a8b7c64e2b9dd3bb20d121460e51285f0daa6d703fd47e816b8455726
MD5 hash:
298110dbffae9d12d9e30d64499ffacb
SHA1 hash:
7d39ebc40af17e6fff0cabc77113014a4332123c
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
b5ae43c470d773c0b20a8aaccf012807f5436f32ba2ecfe2984285ca249f1cea
MD5 hash:
8b2c052b3a638121eb343b5cc1e47580
SHA1 hash:
febf9c8e94b5b882b146b3d8d89b7e12d3f36a9a
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
SH256 hash:
e545bebf9e0380572b0d7440696cc1c4e687e4c100640f1693c223a91e71b9c5
MD5 hash:
6d929b7f6b456a9b24d50dbbfd87624d
SHA1 hash:
824445eb19c92eaf624748c3c0fc6e77a7f617a6
Link:
https://www.unpac.me/results/ad693634-b4c5-463c-8ba3-2beba98420fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e545bebf9e0380572b0d7440696cc1c4e687e4c100640f1693c223a91e71b9c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178876/

Comments