MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e86743da00450b087f82b1a44bb34acd4b5713635733d7cf120b1bc5d4a1e0be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments 1

SHA256 hash:	e86743da00450b087f82b1a44bb34acd4b5713635733d7cf120b1bc5d4a1e0be
SHA3-384 hash:	aa240eb77072b37e75c19c51ee2df5466bf3ff4377f20c5c1eb1a75fc6c7b7b4de8e859aee211533e1f370b697ca438f
SHA1 hash:	27557a53936b45ec35b36dce74d0e9abdfb8c561
MD5 hash:	9f121ee2473531f6c093171dd316e59b
humanhash:	friend-nebraska-bacon-vermont
File name:	9f121ee2473531f6c093171dd316e59b
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	333'312 bytes
First seen:	2022-07-11 22:51:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f6ac66dfc908f152b7aaba0e648ee22e (4 x RedLineStealer)
ssdeep	6144:787eYlKmzND+Dbk6V9+jddyFeNI9VNOdhCO/tiga:78dlnNaDY6V9+j/yX9VNOdhH4
Threatray	6'500 similar samples on MalwareBazaar
TLSH	T11464F15173E1C832F8A31E708434E7A1693BBD11A534988BF7B0BB6E1E3538116B6376
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea6ac8ccc (78 x RedLineStealer, 43 x Smoke Loader, 13 x Stop)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

353

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

9f121ee2473531f6c093171dd316e59b

Verdict:

Malicious activity

Analysis date:

2022-07-11 22:55:49 UTC

Tags:

redline trojan rat

Link:

https://app.any.run/tasks/3246988d-2dfd-4771-8f6e-8bf2d759eae3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/286404/

Detection(s):

Win.Packed.Fugrafa-9955718-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62cca997bbcf6baf279502ce/reports/bc627fee-61ea-4e82-8d87-b5776d5c83d0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f463a435-6579-4e2b-b83d-a2822d5843d9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1029066

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e86743da00450b087f82b1a44bb34acd4b5713635733d7cf120b1bc5d4a1e0be/

Threat name:

Win32.Trojan.Redlinestealer

Status:

Malicious

First seen:

2022-07-11 22:52:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5btuhwqaiufqq74cwgsexm2kzvfvoe3dk4z5ptysbmn4lvfb4c7a._file

Verdict:

malicious

RedLineStealer

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01

RedLineStealer

b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0

RedLineStealer

b35e9c0d9230cdcf4531fa84184e99f79f4de3fd91264f7ab3ce7d23246a8669

RedLineStealer

beea56a23dafd425aa57b3b05cd4d44c7615633292b20fb9bb22e08469fa6634

RedLineStealer

c404cc3a18e98ff81b63518df694118ecdec9948ce72f511cc828f93af5c4e7e

RedLineStealer

df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d

RedLineStealer

e850cca968b1fdf62034565ab6e6a3c76dd77d956771a81797567bba3de51718

RedLineStealer

f7491341509fe582a63437f0f92c3c66a6f4c98c20ff8e6574e1ecf844d4fa19

RedLineStealer

+ 6'490 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mariobalotelli discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220711-2tc9tsgbh3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.233.48.58:43014

Unpacked files

SH256 hash:

3d5b6295ec459e60f22cc41423a8194fa963f062b17782d32ac604ba92c6f2e7

MD5 hash:

c78ee71882533c38bd79fc6091b40362

SHA1 hash:

83d730bb8c8fa92440f2f5431c5839b3eed102b5

Link:

https://www.unpac.me/results/af7e91a3-87f5-4878-baec-c5f656e51c7a/

SH256 hash:

a372264a36e8091da7eda95625e32bc4994b9ad4d04b6e0268970ccfb6e78780

MD5 hash:

374787251a04f7e4eade3d0f8e45a57e

SHA1 hash:

64bdec4306abedffb000b238f23a44c6cc5d7384

Link:

https://www.unpac.me/results/af7e91a3-87f5-4878-baec-c5f656e51c7a/

SH256 hash:

4f802d742fdf23ec0807ce59546217fffa749a709e26ddbaa2186d967e3804fc

MD5 hash:

c55ff2456007a49b783fcf23705bdfa8

SHA1 hash:

5af3d74086d8df193c8d1b9bee2819a9b833d728

Link:

https://www.unpac.me/results/af7e91a3-87f5-4878-baec-c5f656e51c7a/

SH256 hash:

e86743da00450b087f82b1a44bb34acd4b5713635733d7cf120b1bc5d4a1e0be

MD5 hash:

9f121ee2473531f6c093171dd316e59b

SHA1 hash:

27557a53936b45ec35b36dce74d0e9abdfb8c561

Link:

https://www.unpac.me/results/af7e91a3-87f5-4878-baec-c5f656e51c7a/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e86743da0045/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e86743da00450b087f82b1a44bb34acd4b5713635733d7cf120b1bc5d4a1e0be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.