MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5c7a8e3c41afa656fe8a0db72a99f86f93aa4085dd1860aa1dd67099ac228aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5c7a8e3c41afa656fe8a0db72a99f86f93aa4085dd1860aa1dd67099ac228aa
SHA3-384 hash: 6076ec7e8d5fd6e676022ac0be7887e5f85beb449ac89df4dae3589fc13547a3560447d3ce752db7c30bdbd91f8b379a
SHA1 hash: a353d3ab528eccc4975a02431ff1cec9997845af
MD5 hash: ddc216e1cbffd1e3e2eeb6dd42f1fc16
humanhash: cola-emma-kansas-six
File name:ddc216e1cbffd1e3e2eeb6dd42f1fc16
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:64'512 bytes
First seen:2021-10-16 10:52:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:4c4RGP3yWkesGjdAC1Auy8yd7az9t8yJqoSdTt70kv2BqtEW+KeYyg0HUTE/jDbq:4cPJv0Cuu2QuTpR2wSF5j6Ho
Threatray 7'439 similar samples on MalwareBazaar
TLSH T1F553B67B416150B6C5882730F4B50F0B767CD6251A80B698F04BF2EAEC1D69E9EF87B4
File icon (PE):PE icon
dhash icon de9c3d7393d16172 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ddc216e1cbffd1e3e2eeb6dd42f1fc16
Verdict:
Malicious activity
Analysis date:
2021-10-16 10:54:29 UTC
Tags:
stealer evasion
Link:
https://app.any.run/tasks/7320a662-42bf-485e-91ad-7ca268f438be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197862/
Detection(s):
SecuriteInfo.com.W32.MSIL_Agent.CFR.genEldorado.11544.11750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a service
Creating a window
Connection attempt to an infection source
Sending a TCP request to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616aaf109a5a1e91c5c24977/reports/466773b8-951b-4a51-9c0e-d568817c2a1d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d289ecd7-3207-422f-aff6-73e16c54609b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871506
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503931 Sample: 6PAw5izjRO Startdate: 16/10/2021 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected RedLine Stealer 2->74 76 6 other signatures 2->76 7 6PAw5izjRO.exe 16 8 2->7         started        12 WinHoster.exe 2->12         started        14 WinHoster.exe 2->14         started        process3 dnsIp4 64 iplogger.org 88.99.66.31, 443, 49761, 49762 HETZNER-ASDE Germany 7->64 66 niemannbest.me 172.67.221.103, 443, 49751, 49755 CLOUDFLARENETUS United States 7->66 68 topniemannpickshop.cc 7->68 42 C:\Users\user\AppData\Roaming\7726687.scr, PE32 7->42 dropped 44 C:\Users\user\AppData\Roaming\5336741.scr, PE32 7->44 dropped 46 C:\Users\user\AppData\Roaming\4759721.scr, PE32 7->46 dropped 48 2 other malicious files 7->48 dropped 96 May check the online IP address of the machine 7->96 98 Drops PE files with a suspicious file extension 7->98 16 7726687.scr 14 4 7->16         started        21 2937217.scr 14 6 7->21         started        23 5336741.scr 7->23         started        25 2 other processes 7->25 file5 signatures6 process7 dnsIp8 50 kanagoriyn.xyz 94.140.112.88, 49776, 80 TELEMACHBroadbandAccessCarrierServicesSI Latvia 16->50 52 querahinor.xyz 45.129.99.59, 80 GMHOSTUA Estonia 16->52 38 C:\Users\user\AppData\...\7726687.scr.log, ASCII 16->38 dropped 78 Detected unpacking (changes PE section rights) 16->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->80 82 Query firmware table information (likely to detect VMs) 16->82 94 3 other signatures 16->94 27 conhost.exe 16->27         started        54 4k1p.komawai.ru 81.177.141.85, 443, 49775, 49785 RTCOMM-ASRU Russian Federation 21->54 56 37.228.129.48, 29795, 49774 FLOKINETSC Seychelles 21->56 58 ckauni.ru 21->58 84 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->86 88 Tries to steal Crypto Currency Wallets 21->88 29 conhost.exe 21->29         started        40 C:\Users\user\AppData\...\WinHoster.exe, PE32 23->40 dropped 90 Multi AV Scanner detection for dropped file 23->90 31 WinHoster.exe 23->31         started        60 online-stock-solutions.com 104.21.71.122, 443, 49763 CLOUDFLARENETUS United States 25->60 62 2 other IPs or domains 25->62 92 Tries to harvest and steal browser information (history, passwords, etc) 25->92 34 conhost.exe 25->34         started        36 conhost.exe 25->36         started        file9 signatures10 process11 signatures12 100 Multi AV Scanner detection for dropped file 31->100
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5c7a8e3c41afa656fe8a0db72a99f86f93aa4085dd1860aa1dd67099ac228aa/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 10:53:05 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0091825486c2d7cfdee49e98c6795be8d32a7f50a68e0d33542b1f047fb7ed7a
RedLineStealer
059afad6c9d4183c5b32b89465732dc6ea7bf7192c0ed7e9f1dabfe65a17da2e
RedLineStealer
24842beeccc32b2247b404694796aa988f94487b26855b0e1b2dbad88d391b33
RedLineStealer
31e7e054709f5b627f50b6b26f95c6e0536c7d03361c16c9677c70fe327a7181
RedLineStealer
61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948
RedLineStealer
647c067b0bf2c8457c1d4153cf0635a662d709d881b231e06e7f307dbce46e12
RedLineStealer
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168
RedLineStealer
c4426a5f81ed451410f2a960676087b5f4e3d1cb04b3efa8549486df5bf1d5bd
RedLineStealer
d620056c5defae218de13235fc4a509d968bd55469092aa00095ff94a0246b7f
RedLineStealer
+ 7'429 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211016-myzajacfhq/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
7d6ff46071371e92a8a76ad0c66b5844b607fafc2cb2a6c0070f371c4ec823d6
MD5 hash:
3de9aef0ff853d04432fd1fdec507ceb
SHA1 hash:
60e3792d96fc850628bcd7d9d0acfd26abc3dc89
Link:
https://www.unpac.me/results/13b9f01c-5fde-4675-8c6a-565f1b5fd0db/
SH256 hash:
e5c7a8e3c41afa656fe8a0db72a99f86f93aa4085dd1860aa1dd67099ac228aa
MD5 hash:
ddc216e1cbffd1e3e2eeb6dd42f1fc16
SHA1 hash:
a353d3ab528eccc4975a02431ff1cec9997845af
Link:
https://www.unpac.me/results/13b9f01c-5fde-4675-8c6a-565f1b5fd0db/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e5c7a8e3c41a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e5c7a8e3c41afa656fe8a0db72a99f86f93aa4085dd1860aa1dd67099ac228aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e5c7a8e3c41afa656fe8a0db72a99f86f93aa4085dd1860aa1dd67099ac228aa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1684798/
Cape
Cape
https://www.capesandbox.com/analysis/197862/

Comments


Avatar
zbet commented on 2021-10-16 10:52:10 UTC

url : hxxp://futurepreneurs.eu/wp-content/plugins/dn-events/DownFlSetup166.exe