MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5fa3a5fc4f1e1c8286a6bd37ea4b40f6879e629f27e64e7dd491fb42dc6fe36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	e5fa3a5fc4f1e1c8286a6bd37ea4b40f6879e629f27e64e7dd491fb42dc6fe36
SHA3-384 hash:	fd6d6b2bd90918657a6cb3ba4d204875423827d4ee6fe0670f889664ef50365f0743c5be3b81298592ca1a8811e52530
SHA1 hash:	d734f5eb7071e9d2309d933471b6e22e3fdc35cb
MD5 hash:	2d3e4a0d5db026c1778ed5d261846c1f
humanhash:	iowa-nine-speaker-burger
File name:	2d3e4a0d5db026c1778ed5d261846c1f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	680'960 bytes
First seen:	2022-01-08 15:58:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3f07075ef838296be9ff2ad3cf3a6bc2 (2 x RedLineStealer, 1 x KPOTStealer, 1 x ArkeiStealer)
ssdeep	12288:D6iTqFLqPkLEYixXH8jmZ7OVU8xpkwNj48SU/k87jS:Dko0EYosjFVU8xXNjTBvS
Threatray	870 similar samples on MalwareBazaar
TLSH	T172E412227AA0C036D6A616741935D26C1F3B7E326E74C487768823CD4F372D49A3A7A7
File icon (PE):
dhash icon	fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

354

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2d3e4a0d5db026c1778ed5d261846c1f.exe

Verdict:

Malicious activity

Analysis date:

2022-01-08 16:01:05 UTC

Tags:

evasion opendir loader trojan rat redline

Link:

https://app.any.run/tasks/f5b14523-c114-4ad1-90b4-730cf67acd7c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/217829/

Detection(s):

Win.Dropper.Tofsee-9919472-0

Win.Dropper.Lockbit-9919572-0

Win.Malware.Stopcrypt-9933337-0

Win.Dropper.Tofsee-9934046-0

Win.Dropper.Tofsee-9934861-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending a TCP request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3867/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61d9b4cb02e388f9fdb6c67a/reports/4f5c7b6c-b037-43f7-96b9-c8919f956995/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6199f801-0901-4d67-8b61-b19ad9ccbd73

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/917155

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e5fa3a5fc4f1e1c8286a6bd37ea4b40f6879e629f27e64e7dd491fb42dc6fe36/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-01-08 15:59:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4x5dux6e6hq4qkdknpjx5jfub5uhtzrj6j7gjz65jep3ilog7y3a._file

Verdict:

malicious

RedLineStealer

1c9280c4101e0bcdd266eeda804e61f07bfd5a2a08117077abf7ef63ae8347b6

RedLineStealer

2c49fcbd5eda5275d8d2ef98ee7e0c63d978b6d904e3e750ea9d01e52fe16ce9

RedLineStealer

96feb301b146625ffc5c397df1c72bc77c7f76e817f4adc294962a4d034841d9

RedLineStealer

a8065894783bc05b961b4ce6a0d8a3dd0d1edcc83b294b18df7af0dab0db430a

RedLineStealer

ab4589cf2650c1ae3e7a3b8dcf7749f46b81231f4f116fe15b0871ca366267c7

RedLineStealer

d147f74b457cd669430ad9508c5aded7437ce700694e461d10a55215ccb37714

RedLineStealer

d3871fdb5a8fe94cd12f6cc9e16c7b18aa7843f3a3058429e3ee92d0f87a977a

RedLineStealer

+ 860 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery spyware stealer suricata

Link:

https://tria.ge/reports/220108-te3beadeem/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Unpacked files

SH256 hash:

86cec2665ff431668f274fecddf883fb5b532c06ee1a495ce60d5fbbb90c3a33

MD5 hash:

f7246b8631cad60d643fe3625a823397

SHA1 hash:

3aabf69029480970b338bb37a511d307aaf40c79

Link:

https://www.unpac.me/results/b77f00e3-ef0a-41c7-8fd8-a112ced6d131/

SH256 hash:

e5fa3a5fc4f1e1c8286a6bd37ea4b40f6879e629f27e64e7dd491fb42dc6fe36

MD5 hash:

2d3e4a0d5db026c1778ed5d261846c1f

SHA1 hash:

d734f5eb7071e9d2309d933471b6e22e3fdc35cb

Link:

https://www.unpac.me/results/b77f00e3-ef0a-41c7-8fd8-a112ced6d131/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e5fa3a5fc4f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e5fa3a5fc4f1e1c8286a6bd37ea4b40f6879e629f27e64e7dd491fb42dc6fe36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers