MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e619e75c957ab027aebf09abae9d8dfd863c0a5720137702ee2eb7d2500cb266. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	e619e75c957ab027aebf09abae9d8dfd863c0a5720137702ee2eb7d2500cb266
SHA3-384 hash:	a40f9ace74997836303b433a3d3cf454ef98f9f65735547008c2039fb74e6e386ded2e97814b500b0b8452dcb25a5a4c
SHA1 hash:	54e2b5d97bf28feaaa53415f43fb751f9b8179ac
MD5 hash:	243f96b9072be90fdafb4ec07b95dc40
humanhash:	eighteen-virginia-october-crazy
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'238'432 bytes
First seen:	2022-08-29 09:59:40 UTC
Last seen:	2022-08-29 16:30:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep	98304:OxX67n9G+lTSaAeBUr1LsYm4usJTcL6onykapyjOGsRUey1elNuq:OY9rTSmYm4us0yrZRNnDuq
Threatray	65 similar samples on MalwareBazaar
TLSH	T1EF36126322690096E0D58C35C927BD9531F11F578B43ACFB1EEAFDD51A320EAF222953
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	6872f2d494148c8f (2 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Acer Aspire C27-1655 DQ.BGHER.00S
Issuer:	Acer Aspire C27-1655 DQ.BGHER.00S
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-08-27T10:20:56Z
Valid to:	2032-08-28T10:20:56Z
Serial number:	1466caa981b6b9934a6d6212c0370ce3
Intelligence:	12 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	2395a9982a12eabd43ed97ac4569269fda79e30732e48d47e50f1168ea2ce2ab
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://www.6autumns.com/wp-content/uploads/2018/08/img/v28080.exe

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-08-29 10:01:56 UTC

Tags:

trojan rat redline loader

Link:

https://app.any.run/tasks/536c4821-820c-4a80-8a27-10a352bb7c31

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/302163/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.3681.23225.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the system32 subdirectories

DNS request

Sending a custom TCP request

Creating a file

Сreating synchronization primitives

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Creating a process from a recently created file

Creating a file in the %AppData% directory

Launching a process

Enabling the 'hidden' option for recently created files

Running batch commands

Creating a process with a hidden window

Sending an HTTP POST request

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm overlay packed

Link:

https://www.filescan.io/uploads/630c8e4c3e9e50b1bae7f151/reports/0bfccbf2-7389-4801-aad5-7a8a558d2798/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1262ff7f-87cc-4ae9-9091-e277e6bdb70a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1059725

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e619e75c957ab027aebf09abae9d8dfd863c0a5720137702ee2eb7d2500cb266/

Threat name:

ByteCode-MSIL.Infostealer.RedLine

Status:

Malicious

First seen:

2022-08-29 10:00:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ym6oxevpkycplv7bgv25hmn7wddycsxeajxoaxof235euamwjta._file

Verdict:

malicious

RedLineStealer

20e575e0d8217edd3ce02e8effff5b9f0af9d14b33a4955a53f3af8209cca054

RedLineStealer

2290f519814b4f5922e43136a74b56f152534024364cfdf26f144d3985cd9521

RedLineStealer

3d538725fd27edb771e7e5c07a11508d7363dc6f0bdb438240bd34eae746aeed

RedLineStealer

3e8d0e5a6d3935c151b59f8fd527b12d7f0e52c661caa2539beb460bebc898c1

RedLineStealer

56cbf44b2f24b1369efcf6cb7d48460415b591f17ee2a54136fbb1d2719f8343

RedLineStealer

6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22

RedLineStealer

872e5d0f0194ffd58368c3e34192122ddc051722fddc5c7ec2fb546c686dfcca

RedLineStealer

d3ed01491be110b60e443477e30f0efe6f7831fe7cb020ef70eb87afad73c9d2

RedLineStealer

f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d

RedLineStealer

+ 55 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220829-l1nfdafdcq/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine payload

Unpacked files

SH256 hash:

0a249f70a48736e4797af5bd3ecac2df01971505299be6641b1b41a294151d28

MD5 hash:

e7a5aedecb27834230699bab205dfa8a

SHA1 hash:

46edb7f5f0b6dcaddcfffda476bde7b9d289b181

Link:

https://www.unpac.me/results/28b92ee5-f9d6-4603-89e4-2e4c86e39216/

SH256 hash:

1ad0936cc944178c9d3b573ac23991f587a91128d735a4ec157d9f81387637bf

MD5 hash:

d852fa35bc2f6676bd0455dd977a06cb

SHA1 hash:

139e275d6d589983efc8df62c28ca7c448d24f2f

Link:

https://www.unpac.me/results/28b92ee5-f9d6-4603-89e4-2e4c86e39216/

SH256 hash:

e619e75c957ab027aebf09abae9d8dfd863c0a5720137702ee2eb7d2500cb266

MD5 hash:

243f96b9072be90fdafb4ec07b95dc40

SHA1 hash:

54e2b5d97bf28feaaa53415f43fb751f9b8179ac

Link:

https://www.unpac.me/results/28b92ee5-f9d6-4603-89e4-2e4c86e39216/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e619e75c957ab027aebf09abae9d8dfd863c0a5720137702ee2eb7d2500cb266

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/302163/

URLhaus

https://urlhaus.abuse.ch/url/2282159/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample