MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f
SHA3-384 hash: 6f3de4441315e67a85e1580c6a3ceb46d6f78f68b0c6b0d99e11329c4d8400bd68f581d7f6783d1fc3ffb488c0166847
SHA1 hash: 23c70b6de6c3a2958d1b0dc25b691106f215ac0f
MD5 hash: c7b2f2bf03dc91ffb2b9beab50aa5835
humanhash: friend-lion-paris-freddie
File name:SecuriteInfo.com.Trojan.PWS.Steam.27776.32122.30617
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:961'640 bytes
First seen:2022-04-15 03:34:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 76b0ff22bd1741de688ce65231800a79 (2 x RedLineStealer)
ssdeep 24576:64daLrqg2i1505lkPqVPc+NuSnhSKBltOR:64cPq/iPa5V2EAKG
Threatray 1'065 similar samples on MalwareBazaar
TLSH T1EF15120224C4D141C5DDFA7AD23699BACB3EBE938534D85E1329B0591AE33E7B407B63
File icon (PE):PE icon
dhash icon b2aacc9696cce8a2 (2 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.PWS.Steam.27776.32122.30617
Verdict:
Malicious activity
Analysis date:
2022-04-15 03:36:45 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2edbd623-89ae-4d5b-b16b-31018d142f08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263890/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.27776.32122.30617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Query of malicious DNS domain
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit overlay packed pandora shell32.dll
Link:
https://www.filescan.io/uploads/6258e7e7482f2f41cab26911/reports/587e0558-57df-4dc3-b591-d013760f1fa4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9494dd5e-cb00-49d1-84c0-28a368e0c6c2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977257
Signature
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-11 21:32:04 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
21e4967adbe7dfeedfb2c8a2d52e4ecfdf97f0e5b0846d58652b29b56a43222f
RedLineStealer
5a8894a6c74d842e70b975c758fa584143583c58dd2e8f2e220ef152485d884b
RedLineStealer
8e0eb9c341507feb9619ba70fdea2c2589705f693bed120e88dc70d4f941becf
RedLineStealer
c27bd7f4a127bd6cf5a31ee6ab66fe3e99e0ca4f0f1903e2b1880f2606edbdc4
RedLineStealer
de342b73ab279eccec76de26007344ba122df43f5cb1ded839f75579206f85b0
RedLineStealer
e280ab8b2b76bc9a381aa8a3a8b26daa1f41725b714262c1f263a35ff5a0b7c9
RedLineStealer
f2b0706066fbc556ed73ab393d00db40a5cf1a0d4b2dc7647172b122b83fb919
RedLineStealer
+ 1'055 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:metastealer family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220415-d5by5sbger/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Meta Stealer Stealer
RedLine
RedLine Payload
Unpacked files
SH256 hash:
24c5565a95099426a000bebd7fdfafb0f3a3d678158420513766bddbd8f7cecb
MD5 hash:
2353187895995e60675edaaca147ace6
SHA1 hash:
b77dcf7304aa06d08b14c1bd99961b084793fa1d
Link:
https://www.unpac.me/results/352d3f6e-0f70-4fd8-a100-448e4c757edc/
SH256 hash:
e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f
MD5 hash:
c7b2f2bf03dc91ffb2b9beab50aa5835
SHA1 hash:
23c70b6de6c3a2958d1b0dc25b691106f215ac0f
Link:
https://www.unpac.me/results/352d3f6e-0f70-4fd8-a100-448e4c757edc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/263890/
  
URLhaus
https://urlhaus.abuse.ch/url/2148498/
  
Delivery method
Distributed via web download

Comments