MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7e28f077f83dcfebf707111ec7bf00c7ce823559a62a4e17d89005662545858. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7e28f077f83dcfebf707111ec7bf00c7ce823559a62a4e17d89005662545858
SHA3-384 hash: 5d9c5a23bd0e51e61f8e1ae1486d6729cabb8200b933361d0c7820d85e65af38aa8b9285f435390596e1294b21b807c5
SHA1 hash: d19184dc797b01450a28510eb2477d72c622c6da
MD5 hash: 7954c5b6d7dff8d9e24d17ef4c8a5494
humanhash: georgia-shade-hotel-mountain
File name:7954c5b6d7dff8d9e24d17ef4c8a5494.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'054'208 bytes
First seen:2023-05-19 09:05:22 UTC
Last seen:2023-05-20 14:50:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:5yCRMyNe7USDChK+qFox/IsDrsIocY5Zx+lQ0/T2b:sQMyNIXiK7mQsDrTYZx++Z
Threatray 2'861 similar samples on MalwareBazaar
TLSH T19B252307D9DD8136D8B127B0DCF715A34771BCA24D7A039A2789AC8A4DF2650BA3173B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.91.68.253:41783

Intelligence

File Origin
# of uploads :
9
# of downloads :
239
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
7954c5b6d7dff8d9e24d17ef4c8a5494.exe
Verdict:
Malicious activity
Analysis date:
2023-05-19 09:10:12 UTC
Tags:
redline
Link:
https://app.any.run/tasks/ec2a5677-e7f5-45e7-90da-14aa1c35a619

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/85652/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll CAB greyware installer lolbin packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/64673bfb0b0e03147aaa05c2/reports/ce398c15-e42f-4849-8dfd-b49e026fba1b/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1307453
Link:
https://www.hybrid-analysis.com/sample/e7e28f077f83dcfebf707111ec7bf00c7ce823559a62a4e17d89005662545858
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2562e61-5d6a-4a10-b6db-f455fd9c35fa
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237005
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869999 Sample: bAn8o3LSq5.exe Startdate: 19/05/2023 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 8 other signatures 2->51 8 bAn8o3LSq5.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 file4 31 C:\Users\user\AppData\Local\...\x3143686.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\Local\...\i7121216.exe, PE32 8->33 dropped 15 x3143686.exe 1 4 8->15         started        process5 file6 35 C:\Users\user\AppData\Local\...\x8970403.exe, PE32 15->35 dropped 37 C:\Users\user\AppData\Local\...\h7080956.exe, PE32 15->37 dropped 41 Antivirus detection for dropped file 15->41 43 Machine Learning detection for dropped file 15->43 19 x8970403.exe 1 4 15->19         started        signatures7 process8 file9 27 C:\Users\user\AppData\Local\...\g6204676.exe, PE32 19->27 dropped 29 C:\Users\user\AppData\Local\...\f3313883.exe, PE32 19->29 dropped 53 Antivirus detection for dropped file 19->53 55 Multi AV Scanner detection for dropped file 19->55 57 Machine Learning detection for dropped file 19->57 23 f3313883.exe 2 19->23         started        signatures10 process11 dnsIp12 39 77.91.68.253, 41783, 49690, 49695 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 23->39 59 Antivirus detection for dropped file 23->59 61 Multi AV Scanner detection for dropped file 23->61 63 Machine Learning detection for dropped file 23->63 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7e28f077f83dcfebf707111ec7bf00c7ce823559a62a4e17d89005662545858/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 09:06:05 UTC
File Type:
PE (Exe)
Extracted files:
118
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47ri6b37qpop5p3qoei6y67qbr6oqi2vtjrkjyl5reafmysulbma._file
Verdict:
malicious
Similar samples:
162e7d9def571babef55901131e9835a8b0442b1a49df29358099e8333464abb
RedLineStealer
3189e5fd5c5ad071968b0966525581bdab5ca86d16af194d9a38452279c60543
RedLineStealer
38e769addc2d07c0aaba3bf8fa9044da97ca1723b9efc3dd8ceb166d7f811cde
RedLineStealer
502714051f40a9ad7faf861e43514769da5c61da47005ac4ac3dd8883fb9e916
RedLineStealer
9cde09a53bc455b9f22d8e8a3f54460fee58adfe365e85f7cc3f7bbe96947b46
RedLineStealer
dab0d575cb650dae64243a3e53d3e2de98e25d819d1f87212fcbe38e54135cc0
RedLineStealer
ef35bb50d1328df4526a49ef3e02e2bf2a52629508ad6d767944a614606c36bc
RedLineStealer
fb490bbd9f7d9b7365486282fdc05fe808535f1277a3fbfac50c35130b9e2620
RedLineStealer
fe08452040cf960e4d27560e18d8a8d6148301fb12ffb3024e5b33ff98f807ab
RedLineStealer
fe182a0706aa566412d2278ad6910720e7bc8dc5f3a411ba41472e013a24fa1e
RedLineStealer
+ 2'851 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:dizer infostealer persistence
Link:
https://tria.ge/reports/230519-k2qfpada36/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
77.91.68.253:41783
Unpacked files
SH256 hash:
6e9ab83bfcb15755aacc9fd5994c8bf5c0c0a39cc5806daae0a6563b955e00cb
MD5 hash:
ddebde1fa9babc0443303e4f05016716
SHA1 hash:
dd4f6696989928923d51fc4222dfea597d8cc0fe
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/fa5b922d-a904-40bf-93aa-255b6b639125/
Parent samples :
95ccce304a02de6d04b468d94b9fd8ee06b61f0c7b0de96752ab2188d644a9ca
e7e28f077f83dcfebf707111ec7bf00c7ce823559a62a4e17d89005662545858
SH256 hash:
2a318a00f9b00a40f13b40712eb333c515e9ae04d9c1d5719ed0514e1928a508
MD5 hash:
1286fb709af1a001e92b066d4abf8774
SHA1 hash:
cdbc20aefc102b8cffffefe13e9a1dfb0f6ebf14
Link:
https://www.unpac.me/results/fa5b922d-a904-40bf-93aa-255b6b639125/
SH256 hash:
04968d7b802efb4a7c07a395d0c835e0ae4e9eec44465f57dd00a81217e19baf
MD5 hash:
4f8e588b4817d33a2e7ce3eae577816f
SHA1 hash:
29388304f10533f97d1c4c8d1764b4d9b617ec08
Link:
https://www.unpac.me/results/fa5b922d-a904-40bf-93aa-255b6b639125/
SH256 hash:
e7e28f077f83dcfebf707111ec7bf00c7ce823559a62a4e17d89005662545858
MD5 hash:
7954c5b6d7dff8d9e24d17ef4c8a5494
SHA1 hash:
d19184dc797b01450a28510eb2477d72c622c6da
Link:
https://www.unpac.me/results/fa5b922d-a904-40bf-93aa-255b6b639125/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7e28f077f83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7e28f077f83dcfebf707111ec7bf00c7ce823559a62a4e17d89005662545858

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e7e28f077f83dcfebf707111ec7bf00c7ce823559a62a4e17d89005662545858

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2636944/
  
Delivery method
Distributed via web download

Comments