MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e64aadbd17acea6562868dab3183be3b05a616cafe6f1fb113480ff030fa9211. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e64aadbd17acea6562868dab3183be3b05a616cafe6f1fb113480ff030fa9211
SHA3-384 hash: daefe6193007fcbbc4648fa5b4077812a28735210c89f661633cd85c17747bfbad5ddb9872a4c1c535eee18645cd8ed0
SHA1 hash: 7655c207d97b58be6ecb0226148b4ea1ede0c9b2
MD5 hash: 9014fa352cb0685ef64137b3ee40f7c6
humanhash: mexico-william-equal-victor
File name:9014fa352cb0685ef64137b3ee40f7c6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'760'136 bytes
First seen:2022-05-17 10:50:04 UTC
Last seen:2022-05-17 12:08:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ce23aaeb2cfe3bb8cb34d8e9ff37ded9 (1 x RedLineStealer)
ssdeep 49152:IgjUYUiF5fq55iR8SteO7tl3GmdRiSnTkGnSnTkGQrXnudAVv:IgHF5fq55AF8O7tpKSQGnSQGWudAl
Threatray 797 similar samples on MalwareBazaar
TLSH T1B0D53385C0A0543FE1A7407732E5AD3D0721DF633A27D5CEA858B2B177BD768A1227A3
File icon (PE):PE icon
dhash icon e8f0b21bce7beae8 (3 x CoinMiner, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-05-17 03:05:11 UTC
Tags:
evasion trojan socelars stealer loader rat redline socksbot backdoor ransomware stop amadey opendir
Link:
https://app.any.run/tasks/12b1b1f4-62c1-4a37-831c-50b16a1cb291

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271510/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll update.exe wacatac
Link:
https://www.filescan.io/uploads/62837e816c85fb24969aa4f3/reports/c3ba1048-1494-44a8-a8da-59d9791c7952/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45c85446-c040-4d87-8164-fb59db855c19
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995733
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e64aadbd17acea6562868dab3183be3b05a616cafe6f1fb113480ff030fa9211/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 09:58:14 UTC
File Type:
PE (Exe)
Extracted files:
99
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zfk3pixvtvgkyugrwvtda56hmc2mfwk7zxr7mitjah7amh2siiq._file
Verdict:
malicious
Similar samples:
3507442790a6d27bf658e39d8be816c615bafdb98bcf623a2a4a36440a29cc57
RedLineStealer
436c9071616192510f4ec380918b02d17a2046fc74034ccad90b800fcd8dab17
RedLineStealer
7b56c37bff2fcded39ac0a413320b1705c70c78d257a2f87327d759afa0c10f2
RedLineStealer
be0e88736ccfe77179092d6cf517b34aa32e1cb1e4fc47d98ceb97522d138027
RedLineStealer
c2edd73c44beb4bae6d666109f793c0e246a1cc28bf868d10841023283d880d5
RedLineStealer
c4723b946e8913f59ccb64d9025440820124104c653c79023f09d28da35d0442
RedLineStealer
c4dea5508ce6f00cc43eb9d2bfe55c7d79026aee8f414787699a4983f226ccf7
RedLineStealer
cecab57f1a85a181d806e2a782a030616f8a23b0f1cb3d2cdc0736c9bf72678a
RedLineStealer
dfc1aa0acee671f96551980d2e846b287e1f19edde0847cc3e851ac5e9ce6ad5
RedLineStealer
+ 787 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220517-mxs25addbm/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Unpacked files
SH256 hash:
a9673181d981db88946dbcd1c378486890ee5dab1f98ed0a2f343728ade3a58c
MD5 hash:
3839d79d24941bf13076b791d3b18de6
SHA1 hash:
2289fb87aadcf4a9b0ee43fd427fbf2c77df2f3e
Link:
https://www.unpac.me/results/a16bb633-4bfc-4227-af95-d96b68e3efc4/
SH256 hash:
e64aadbd17acea6562868dab3183be3b05a616cafe6f1fb113480ff030fa9211
MD5 hash:
9014fa352cb0685ef64137b3ee40f7c6
SHA1 hash:
7655c207d97b58be6ecb0226148b4ea1ede0c9b2
Link:
https://www.unpac.me/results/a16bb633-4bfc-4227-af95-d96b68e3efc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e64aadbd17acea6562868dab3183be3b05a616cafe6f1fb113480ff030fa9211

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e64aadbd17acea6562868dab3183be3b05a616cafe6f1fb113480ff030fa9211

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1828281/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/271510/

Comments