MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7aea847c8133a0d6f619c847951d982e97e5f54c91e4c5562a7f15b6202fd07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7aea847c8133a0d6f619c847951d982e97e5f54c91e4c5562a7f15b6202fd07
SHA3-384 hash: 1027833f926b759cfa6a6c7516f602844f4e0c42471b74a717979caa917fac5f090e470b5fd8c90fd401969cdf57ac15
SHA1 hash: cc59ac1a24f18b33e43a973a7325c4bdabfc3abb
MD5 hash: 5ceb7ba81b838f6205f48da133ff3483
humanhash: florida-ink-gee-william
File name:info.bin
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:13'471'744 bytes
First seen:2023-10-01 13:26:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 393216:2EESgzjhhJtwre72mVURTBivGpbKPrF2aNPNgWnv:LESgptw8gTBiv/rF2alNpv
Threatray 424 similar samples on MalwareBazaar
TLSH T167D63338BB598090F909E175B44DC5908FD77D3DA0AC8E67289D379E5F376B0801B2BA
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8c0f794d4d6907ce (2 x RedLineStealer, 1 x Stealc)
Reporter JAMESWT_WT
Tags:77-91-97-131 bookinggoogledrive exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
http://77.91.97.131/333/info.exe
Verdict:
Malicious activity
Analysis date:
2023-09-20 15:16:20 UTC
Tags:
loader stealer redline
Link:
https://app.any.run/tasks/8a5ace80-fc5f-42b6-b0da-be032eaecc51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61245.21912.5441.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a window
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed smartassembly vidar
Link:
https://www.filescan.io/uploads/651973a9f1b40cb0d6256c76/reports/0167c3f6-fd52-438f-b2fb-0ca262a2e4db/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e7aea847c8133a0d6f619c847951d982e97e5f54c91e4c5562a7f15b6202fd07
Result
Verdict:
MALICIOUS
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/526cbe7e-4cf0-439a-bcae-cb30f8d86e30
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317539
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7aea847c8133a0d6f619c847951d982e97e5f54c91e4c5562a7f15b6202fd07/
Threat name:
ByteCode-MSIL.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 18:15:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46xkqr6icm5a233btschsuozqlux4x2uzepeyvlcu7yvwyqc7udq._file
Verdict:
malicious
Similar samples:
020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
RedLineStealer
22a1c9382690cbdba4b862fdc47836456ceafa75184a74f0acbc20603dc5c125
RedLineStealer
3eb4461a974c2782837b65b5c8a96615aa401b2277c04251a72dfb21a8e57113
RedLineStealer
47922c37197617760a2c8b286b26d63acc3f4e2aa5e6941a64038474a5a13883
RedLineStealer
84dba96c71e6d9b5a098e15830bd8226b05d513fdb8fce9dd78bf49bf11e9b6f
RedLineStealer
8f69a2763ee1135b7dfd2fd6ab98649a164c022c2b3a4dbf1be3e97d1d80f3bd
RedLineStealer
98f467c12ff867304a01dd56534a52a54674f87965720bd75a783fdf6dd4e9d2
RedLineStealer
d6702ffbfccb1f8aaa0e40c39a2257f0da03fdbff4b9aeb528156e316d6b0701
RedLineStealer
e4f45c6d4fe93cdf34ccfd2a76334728dd2af53cf1eaf2e8acd32e519d255420
RedLineStealer
f4a74294fb587bdf5cf32d2d58aec90458e13c3cdfa2bbdd2ac14722e1c5e4c2
RedLineStealer
+ 414 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/231001-qp34xabb2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
RedLine
RedLine payload
Unpacked files
SH256 hash:
ea02c0e353f3dcd2579a5a84f2f3fe3d3937287fb3f72289fd624c7936117a9e
MD5 hash:
a544fda09bc6c85014c97d138600bf74
SHA1 hash:
f13ee21b57fb5753d5be2669ccdeebd754828ace
Link:
https://www.unpac.me/results/2db51e53-f186-4b04-a8e2-e84ae7fbafc2/
SH256 hash:
31f11124f88fc142e201f13d2b8301c902338b17f84f9a90f105941330f7db62
MD5 hash:
66c9f64257f261a46d691a69f58d55c4
SHA1 hash:
bb02710ce419f869b9cc9f09534688be22714ba7
Link:
https://www.unpac.me/results/2db51e53-f186-4b04-a8e2-e84ae7fbafc2/
SH256 hash:
8c085560c0f7d6585ccb1b5bb21e809038c1e94081f7a282855da3b80b6d3bc6
MD5 hash:
05099f149e5d66c454f490bc859937d3
SHA1 hash:
a91d8113ae7699cc31a6e2d67904fd29e213062e
Link:
https://www.unpac.me/results/2db51e53-f186-4b04-a8e2-e84ae7fbafc2/
SH256 hash:
4db815c2b1551d311ad6da5eca3689721863de4a7abe5cf87209fcc2c8158b9b
MD5 hash:
4e26f81ee4a2ff7397b136d2a529483c
SHA1 hash:
85d9c70b7b6a6887998d69de4c9e6dec85a4417d
Link:
https://www.unpac.me/results/2db51e53-f186-4b04-a8e2-e84ae7fbafc2/
SH256 hash:
e7aea847c8133a0d6f619c847951d982e97e5f54c91e4c5562a7f15b6202fd07
MD5 hash:
5ceb7ba81b838f6205f48da133ff3483
SHA1 hash:
cc59ac1a24f18b33e43a973a7325c4bdabfc3abb
Link:
https://www.unpac.me/results/2db51e53-f186-4b04-a8e2-e84ae7fbafc2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7aea847c813/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7aea847c8133a0d6f619c847951d982e97e5f54c91e4c5562a7f15b6202fd07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_stealer_bytecodes_sep_203
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e7aea847c8133a0d6f619c847951d982e97e5f54c91e4c5562a7f15b6202fd07

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715598/
  
Delivery method
Distributed via web download

Comments